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Chapter  1 - Introduction  [inftro:! 

Section  1.1 Motivation  I] 

This  paper  introduces  Strong  Dependency,  a formal  theory  of  information 
transmission  in  computational  systems.  He  develop  a number  of  proof 

techniques  and  shop  how  they  can  be  used  in  solving  information  problems. 

The  need  to  study  information  transmission  arose  from  our  work  on  the 
Confinement  Problem  [Lampson  731.  Imagine  that  some  user  of  a service  has 
to  tell  the  service  personnel  private  information.  The  user  wants  to 

guarantee  that  the  information  is  kept  private.  That  is,  no  information  is 
to  be  transmitted  from  the  program  executing  the  "Service"  to  anyone  but  the 
"user"  (or  perhaps  other  "users"  designated  by  her). 

Ue  believed  that  the  protection  mechanism  developed  for  the  Hydra 
Operating  System  [Uulf  74,  Cohen  & Jefferson  751  allowed  the  construction  of 
an  elegant  solution  to  the  Confinement  Problem.  However,  in  order  to  prove 
that  a solution  to  the  Confinement  Problem  was  indeed  correct,  ue  needed  to 
develop  a formal  theory  of  information  transmission  in  computational 
systems.  This  paper  introduces  the  basics  of  such  a formalism,  and  presents 
a number  of  examples  to  illustrate  its  use. 


Section  1.2  Computational  Systems  Icompsys:] 

Ue  have  defined  a computational  system  (Cohen  7G)  as  a pair,  <I,A>, 

where  o t 1 is  a state  of  the  system,  and  bib  is  an  operation. 

Each  state  is  uholly  comprised  of  a set  of  object,  each  having  a fixed 
unique  name.  If  a is  the  name  of  some  object,  we  write  o.a  to  mean  the 
value  of  a in  state  a.  Formally,  a state  is  a vector  of  objects 

o = <o.  nl , tr.  n2, . . . > 

where  <nl,n2,..>  are  the  list  of  object  names  in  lexicographic  order.  If 
A is  a set  of  object  names,  we  write  cr.A  to  mean 
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a.  A s <o.  al , o.  ci2, . . . > 

where  <al ,a2, . . . > ere  the  list  of  names  in  A in  lexicographic  order.  This 
definition  permits  us  to  write 

ol.A  «*  o2.A  for  (VacA) { ol.a  = o2.a  ) 


We  define 

>>  Oef  1-11  crl  * c2 
A 

ol  = o2  Er|pi  (VafA) ( ol.a  = o2.a  ) 
A ' 


That  is,  if  ol  = o2,  tnen  states  ol  and  o2  may  differ  only 
A 

of  the  objects  named  by  A.  For  the  special  case,  where  ol  and 
only  in  the  value  of  a single  object  a,  we  define 


in  the  values 
o2  may  differ 


>>  Oef  1-21  ol  = o2 
a 

ol  = o2  Edef  (Von v*a)  ( ol.a ft  = o2.ai(  ) 

Object?  may  themselves  have  some  internal  structure  (including  pointers 
to  other  objects).  However,  such  details  are  part  of  an  interpretat ion  and 
not  part  of  our  abstract  model.  As  an  example  though,  we  might  write  o.x.k 
to  mean  the  value  of  the  k’th  component  of  object  x in  state  o. 


We  formally  define  an  operation  & as  a function  from  states  to  states. 
Semantically,  we  interpret  S(c)  «*  a*  to  mean  that  execution  of  S in  state 
a may  alter  some  objects  in  the  state  to  produce  a new  state  aft.  We  find  it 
useful  to  describe  operations  in  terms  of  an  informal  programming- like 
language.  For  example,  if  aft  were  just  like  o,  except  that  aft.fi  ■ a. a,  we 
could  write 

S:  0 *■  a 

An  history  is  a sequence  of  operation*)  (e.g.  &1S2&3).  When  a history  is 
applied  to  a state,  the  operations  in  the  history  are  applied  sequentially 
from  left  to  right.  Formally  we  define 
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>>  Pet  1-31  H(o)  (recursively  defined) 


A ( or)  <==  a ( A is  the  null  history  - no  operations  ) 


He  urite  both  HH*  as  well  as  H & H*  to  mean  the  concatenation  of 
the  sequences  H and  H*  (note  is  not  commutative). 


If  a system  is  started  in  state  a and  some  arbitrary  sequence  of 
operations  H is  executed,  then  the  system  exhibits  some  behavior  uhich  can 
be  completely  described  by  the  pair  <<j,H>.  Ue  call  a pair  <cr,  H>  a 

behavior  or  a comoutat i on. 


Protection  in  operating  systems  is  often  modelled  using  a matrix  of 
protection  rights  [Lampson  71] . Briefly,  ue  describe  such  a model  as 
follows:  Before  any  operation  permits  an  object  to  be  accessed  in  some  way, 

the  matrix  is  checked  to  determine  whether  the  executor  of  the  operation  has 
the  appropriate  right  for  that  access.  For  example,  if  execution  of  some 
operation  would  permit  Cohen  to  write  into  the  Salary  file,  the  operation 
would  first  check  that  Cohen  has  the  right  to  urite  the  Salary  file, 
notat ional ly 


w < <Cohen, Sa I ary> ( o) 


That  is,  are  w (write)  rights  to  be  found  in  the  <Cohen,Sal ary>  entry  of  the 
protection  matrix  in  state  o? 


paper,  we  will  occasionally  refer  to  a simple  system  having  three 
(subject),  r (read)  and  w (write)  interpreted  as 


allows  x to  execute  operations  in  state  o 
allows  x to  read  file  a in  state  a 
allows  x to  urite  file  (i  in  state  e 
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A operation  copy (user, fnew, fold)  that  allows  "user"  to  copy  the 
contents  of  fold  to  fnew  might  be  defined  as 

copy  (user , fnew,  fold)  s j_f  s c <user,user> 

a r < <user,  fold> 
a w < <u$er,fnew^ 
then  fnew  *■  fold 

That  is,  "user"  must  be  able  to  execute  (be  a subject),  read  fold,  and  write 
fnew. 

Section  1.4  Behavioral  Problems  (behprob:) 

lie  showed  in  [Cohen  76)  that  many  problems  ordinarily  considered  to  be 
protection  problems  can  be  formally  characterized  as  constraints  on  the 
behavior  of  the  system.  Consider  the  problem:  Cohen  is  not  to  be  able  tc 

write  the  Salary  file.  This  problem  character izes  those  behaviors  of  the 
system  as  "acceptable",  which  when  executed,  do  not  execute  any  operations 

that  have  the  effect  of  causing  a urite  access  of  the  Salary  file  by  Cohen. 

U'e  can  write  ^problem  *°  characterize  these  acceptable  behaviors,  where 

^problem^0*^  <="  ** 

'Voblen'0-^  <=* 

'ypropiem(o.  H)  a -Uacc (Cohen, Salary)  (H(o) , b) 

where  Uacc  (x,(3)  (o,  &)  is  defined  so  that  when  operation 

S is  executed  in  state  o,  a write  access  is  made  by  x to  $ 

Me  say  that  such  a problem  is  an  enforcement  problem  and  that  it  may  be 

solved  by  appropr iately  constraining  the  initial  state  of  the  system.  These 

initial  states  are  "secure"  in  that,  no  matter  what  sequence  of  operations 
are  subsequently  executed,  the  behavior  executed  (determined  by  <initiai 
state,  sequence  of  operations:*)  is  guaranteed  to  be  acceptable.  Formally,  if 
<PsolVP  characterizes  these  secure  initial  states,  then  we  say  that  ^solve 
enforces  ^oblem  where 


Strong  Dependency  < 1.4  ) 


page  5 


» Del  1-4)  «Psolve  enforces  tprob|em  Hi 

(Vo'HM  Solve1®1  ^ Voblem<®*HI  ' 

Information  problems  are  concerned  with  preventing  the  transmission  of 
information  and  are  fundamentally  different  than  the  enforcement  problems 

described  above.  For  example,  a solution  to  the  Salary  file  problem  defined 
above  does  not  necessarily  solve  the  problem:  No  information  (9  to  be 
transmitted  from  Cohen  to  the  Salary  file.  Cohen  may  be  abie  to  place 
information  in  some  other  file,  where  a confederate  may  write  it  to  the 

Salary  file. 

It  is  tempting  to  try  to  describe  the  information  problem  as  an 
enforcement  problem  as  well.  Suppose  we  write 

o-  ( o : H)  ->0 

to  mean  that  information  flows  from  or  to  0 over  execution  of  behavior 
<o,H>.  Then  we  can  describe  the  information  transmission  problem  formally 
as 

Yproblem^0'^  s "•  Cohen- (o: HI  ->Sal ary 

However,  we  need  first  to  be  able  to  define  the  meaning  of  a-(a:H)->(3. 
Such  a definition  is  difficult  for  the  following  reason.  Suppose  that  some 

operation  & caused  0 to  be  written  into  only  if  some  property  p held  true  of 

or,  and  that  p did  not  hold  true  of  a in  state  o.  Ue  might  naively  conclude 

that  -a-\  H)->0.  However,  an  observer  of  0 may  note  that  0 is  not  written 

into  and  may  therefore  conclude  that  property  p does  not  hold  true  of  a. 
Even  though  0 has  not  actually  been  written  into,  information  about  a (the 

fact  that  p holds  true  of  a)  is  nonetheless  transmitted  to  0 in  state  c. 

[Jones  & Lipton  75)  have  described  such  situations  by  the  term  "negative 
inference".  (Denning  75)  has  termed  such  information  transmission  "implicit 
flow"  as  distinguished  from  the  case  where  0 is  explicitly  written  into. 

There  are  a number  of  solutions  to  this  dilemna.  One  might  define 
a-(o:H)->(3  in  such  a way  that  implicit  flow  is  taken  into  consideration.  In 
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[Cohen  761  , we  argue  that  such  an  approach  16  inappropriate  - that  the 

determination  of  acceptable  behaviors  (and  thus  the  information  transmitted) 
is  actually  determined  in  part  by  the  constraints  (i,e.  'Pgoive  ) placed  on 
the  system. 

Sec t i on  1.5 Models  of  Information  Transmission  [modinf:] 

[Denning  75)  and  (Case  74)  have  gotten  rid  of  the  problem  of  implicit 

flows  by  disregarding  the  state  in  which  an  operation  is  executed, 

information  is  considered  to  flow  from  a to  (3  over  execution  of  S (which  we 
can  write  as  a — ( 8 ) — ) so  long  as  there  exists  some  state  in  which 

execution  of  8 explicitly  transmits  information  frcm  or  to  0 . 

Information  flow  of  a seguence  of  operations  is  defined  by  assuming  that 
information  flow  is  transitive.  That  is,  information  flow  is  defined 
recursively  as 

cr-(M->(3  < = = ( a = 0 ) ("A"  is  the  null  history  ) 

a-(H8)->0  < = = (3m)  ( a-(H)->m  a m—  ( 8 ) - >f3  ) 

where  m may  be  the  same  as  a or  0 [ e.g.  m-(S)->m  as  long  as  the 

execution  of  & does  not  completely  overwrite  m ).  It  must  be  noted  that  in 
[Case  74],  no  definition  is  given  for  ci-(&)->0;  it  is  left  to  the  reader’s 
intuition.  Denning,  in  [Denning  75),  shows  how  information  flou  may  be 
defined  for  a particular  programming  language,  but  again,  (though  the 

definition  of  a-(&)->0  must  conform  to  certain  theoretical  considerations), 
it  does  not  not  derive  from  a theoretical  formulation  of  the  meaning  of 
information  transmission.  In  this  paper,  we  uill  show  how  such  a definition 
may  be  derived  from  the  semantics  of  a given  operation,  though  we  will  use 
the  notation 

The  assumption  of  transitivity  in  defining  information  flow  over  sequences 
of  operations  turn3  out  to  be  a dangerous  one.  Consider  the  sequence  of 
operations  81 82 , where 
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SI : j_f  q then  m «-  a 

S2:  j_f  ->q  then  (i  «-  m 


o- ( SI ) ->m 
clear  that  no 
introduce  a 
non-transi t i ve 


and  m-(S2)->|3.  By  transitivity, 
information  can  in  fact  be  transmit 
technique  ue  call  separation  of 
si tuations. 


a-  (SI S2 ) ->b, 
ted  from  a to 
variety  to 


though 
(3.  I4e 
handle 


it  is 

9hal  I 
9UCh 


In  effect,  an  execution  of  S2  that  transmits  information  from  m to  (3  must 
occur  in  an  environment  in  which  q is  false,  but  in  such  an  environment,  no 
information  could  have  been  transmitted  from  a to  m by  SI.  He  may  formally 
characterize  an  environment  by  a constraint  <P,  that  cooresponds  to  an 
assertion  about  the  state  in  which  an  operation  is  to  be  executed.  Ue 
suggested  above  that  the  constraint  itself  must  be  used  in  determining  what 
information  transmission  takes  place.  [tli  Men  7BI  has  explored  such  an 
approach  and  has  shown  how  certain  information  paths  may  be  ignored  in  the 
face  of  appropriate  constraints.  Ue  will  also  be  studying  information 
transmission  in  the  presence  of  constraints,  formally  validating  the 
approach  and  determining  (in  discussing  non-aUtonomous  constraints)  its 
limits  (which  determines  the  limits  of  Mi  Men’s  approach  as  well). 


The  work  of  both  Denning  and  Mi  Men  is  directed  primarily  towards  analysis 
of  information  paths  in  sequential  programs.  Ue  will  be  concerned  more 

generally  with  analysis  of  information  paths  and  the  solution  of  information 
problems  (determining  how  certain  information  paths  may  be  eliminated)  in 
arbitrary  computational  systems,  considering  sequential  programs  a9  a 
special  case. 

Sec t ion  1.6 Strong  Dependency  (istrdep:) 

In  this  paper,  ue  introduce  the  Strong  Dependency  formalism  as  a means  of 
char  ac  ter  i z i ng  information  transmission  in  computational  systems.  Strong 
Dependency  is  no t an  information  flow  model.  Instead,  it  is  based  on  a 

cybernetic  or  information  theoretic  approach  to  information  transmission. 

Ue  imagine  that  each  object  in  system  may  take  on  a set  of  values;  this 
is  known  as  the  var  i e ty  of  the  object.  Information  can  be  transmitted  from 
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one  object  to  another  if  the  variety  of  the  first  object  can  be  conveyed  to 
the  other  object. 


{ Our  formal  definition  of  Strong  Dependency  is  similar  to  a 
formalism  Introduced  by  [Jones  4 Llpton  75],  though  their  approach 
uas  not  an  information  theoretic  one.  They  argue  that  no 
information  is  transmitted  from  a to  |3  in  some  system  if  that  system 
can  be  transformed  into  another  system  with  the  following  property: 
the  values  taken  on  by  0 are  the  same  in  both  systems,  but  the 
transformed  system  does  not  access  or.  In  effect  the  Strong 
Dependency  formalism  compares  the  original  system  not  uith  a 
transformed  system,  but  with  a system  just  like  the  original  one 
except  that  a takes  on  an  arbitrarily  different  initial  value.  ] 


Next  we  show,  that  by  placing  an  initial  constraint  on  a system,  we  may 
reduce  the  variety  in  an  object.  If  the  variety  is  sufficiently  reduced,  no 
variety  may  be  conveyed,  and  no  information  can  be  transmitted. 

He  find  that  Strong  Dependency  only  corresponds  to  information 
transmission  in  systems  constrained  by  certain  classes  of  constraints. 
Progress  on  theories  that  correspond  to  information  transmission  in  systems 
with  arbitrary  constraints  is  discussed  in  section  7.2. 


Sect  ion  1.7 Plan  of  the  Paper  [plan:) 

In  chapter  2,  we  discuss  the  details  of  the  Strong  Dependency  formalism. 

In  chapter  3 we  show  how  the  Strong  Dependency  formalism  can  be  used  to 

define  information  problems  including  the  Confinement  Problem.  Ue  define  a 
solution  to  an  information  problem  as  a constraint  that  eliminates 
information  transmission  as  required  by  the  description  of  the  problem,  Ue 
also  present  a measure  based  on  Strong  Dependency  for  comparing  and 
evaluating  solutions. 

In  chapter  4 ue  introduce  Strong  Dependency  Induction,  a technique  for 

showing  that  certain  classes  of  solutions  (constraints)  solve  information 
problems.  We  also  formally  develop  Separation  of  Variety,  a technique  for 
handling  non-trsnsi  t ivi  ty  in  information  transmission.  In  chapters  5 and  G 
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we  extend  the  class  of  constraints  that  can  be  used  with  Strong  Dependency 
Induction.  In  chapter  G,  we  also  show  how  Strong  Dependency  Induction  can 
be  used  to  explore  information  transmission  in  the  execution  of  sequential 
programs.  Chapter  7 discusses  other  work  in  progress. 

Sect  ion  1.8 A Cybernetic  Evaluation  U 

Cybernetics  first  [Ashby  SGI  formalized  the  idea  that  information 
transmission  has  nothing  to  do  with  the  content  of  the  messages  transmitted, 
but  depends  only  upon  the  way  "variety"  is  conveyed.  Information  theory 
represents  one  direction  taken  based  on  that  approach;  it  analyzes  the 
amoun t of  variety  conveyed  from  one  object  to  another  in  smal  ( no i sy 
systems,  Ule  will  pursue  a different  course.  He  consider  whether  any 

variety  is  conveyed  at  all  from  one  object  to  another  in  I arqe  no  i se  I ess 
systems. 

Our  task  is  compounded  by  the  fact  that  there  is  neither  a single  source 
nor  a single  receiver.  Each  object  in  the  system  may  potentially  receive 
information  from,  or  send  information  to  any  other  object  in  the  system. 
Uork  in  progress  (see  section  7. A)  is  directed  toward  extending  classical 
information  theory  in  the  directions  suggested  by  this  paper. 

An  information  theoretic  approach  is  probably  useful;  one  may  not  in 
general  be  able  to  completely  prevent  information  transmission  in  a system 
designed  to  be  kind  to  users.  In  particular,  consider  a user  who  leaks 

information  by  execution  of  some  peculiar  sequence  disk  operations 
[Lampson  731.  One  might  simply  be  satisfied  to  introduce  enough  noise  to 
guarantee  that  the  bandwidth  from  the  user  to  the  disk  is  sufficiently  low. 


For  the  purposes 

of 

this  paper,  we 

will 

general  1 y 

i gnor  e 

these 

quantitative  issues;  we 
transmitted  from  one  ob 

on  1 
jec  t 
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Chapter  2 - Strong  Dependency  4 Information  Transmission  fstrlnf?] 


Section  2.1 Introduction  tl 

In  this  chapter,  us  introduce  the  Strong  Dependency  formalism  as  a means 
of  character izing  information  transmission  in  computational  systems.  He  view 
Information  transmission  in  a cybernetic,  or  information  theoretic  sense,  Ue 
imagine  that  each  object  in  a system  may  take  on  a set  of  values?  this  is 
known  as  the  var  ietu  of  the  object.  Information  can  be  transmitted  from  one 

object  to  another  if  the  variety  of  one  object  can  be  conveyed  to  another 

object. 

Ue  argue  that  information  can  be  transmitted  from  an  object  a to  an 
object  (3,  if  for  two  different  values  of  a,  execution  of  some  history  might 
place  different  values  in  0. 

Next  ue  shou,  that  by  placing  an  initial  constraint  on  a system,  wo  may 

reduce  the  variety  in  an  object.  If  the  variety  is  sufficiently  reduced,  no 

variety  may  be  conveyed,  and  no  information  can  be  transmitted.  In  this 
chapter,  we  only  consider  a class  of  constraints  ue  cc'l  autonomous 
constraints,  those  which  constrain  the  variety  :r.  an  object  independently  of 
the  value  of  other  objects.  Non-autonomous  constraints  introduce 
complications  in  our  analysis  that  we  will  begin  tc  discuss  in  chapter  5. 


Section  2.2  Variety  and  Information  Transmission  Evarinfj) 

"...  At  first,  when  one  thinks  of,  say,  a telegram  arriving,  one 
notices  only  the  singleness  of  one  telegram.  Nevertheless,  the  act 
of  ’communication’  necessarily  implies  the  existence  of  a sjet,  of 
possibilities,  i.e.  more  than  one,  as  the  following  example  will 
show. 

"A  prisoner  is  to  be  visited  by  his  wife,  who  is  not  to  be  allowed 
to  send  him  any  message  however  simple.  It  is  understood  that  they 
may  have  agreed,  before  his  capture,  on  some  simple  code.  At  her 
visit,  she  asks  to  be  allowed  to  send  him  a cup  of  coffee?  assuming 
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the  beverage  Is  not  forbidden,  how  is  the  warder  to  ensure  that  no 
coded  message  is  to  be  transmitted  by  it?  He  knows  that  she  is 
anxious  to  let  her  husband  know  whether  or  not  a confederate  has  yet 
been  caught. 

"The  warder  will  cogitate  with  reasonings  that  will  go  somewhat  as 
follows:  'She  might  have  arranged  to  let  him  know  by  whether  the 

coffee  goes  in  sweetened  or  not  - I can  stop  that  simply  by  adding 
lots  of  sugar  and  then  telling  him  I have  done  so.  She  might  have 
arranged  to  let  him  know  by  whether  or  not  she  sends  a spoon  - I can 
stop  that  by  taking  away  any  spoon  and  then  telling  him  that 
Regulations  forbid  a spoon  anyway.  She  might  do  it  by  sending  tea 
rather  than  coffee  - no,  that’s  stopped  because,  as  they  know,  the 
canteen  will  only  supply  coffee  at  this  time  of  day.’  So  his 
cogitations  go  on:  what  is  noteworthy  is  that  at  each  possibility  he 
intuitively  attempts  to  stop  the  communication  by  enforcing  a 
reduction  of  the  possibilities  to  one  - always  sweetened,  never  a 
spoon,  coffee  only,  and  so  on.  As  soon  as  the  possibilities  shrink 
to  one,  so  soon  is  communication  blocked,  and  the  beverage  robbed  of 
its  power  of  transmitting  information.  The  transmission  (and 

storage)  of  information  is  thus  essentially  related  to  the  existence 
of  a set  of  possibilities.  The  example  may  make  this  statement 
plausible;  in  fact  it  is  also  supported  by  all  the  work  in  the 
modern  theory  of  communication,  which  has  shown  abundantly  how 
essential,  and  how  fruitful,  is  the  concept  of  the  set  of 
poss i b i I i t ies. 

"Communicat ion  thus  necessarily  demands  a set  o'  messages.  Not 
only  is  this  so,  but  the  information  carried  by  a particular  message 
depends  on  the  set  it  comes  from.  The  information  conveyed  i s not 
an  intr insic  property  of  the  individual  message. " 

U.  Ross  Ashby  "An  Introduction  to  Cybernetics" 

Information  can  be  transmitted  from  a to  0 in  a system  if  the  variety, 
the  set  of  values  that  can  be  taken  on  by  a,  can  be  conveyed  to  (J.  For 
example,  if  a and  (3  both  contain  16  bit  integers  (and  a initially  can  take  on 
each  of  these  values  with  euual  probability),  then  we  might  imagine  that 
execution  of 
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8:  0 «-  a 

would  transmit  16  bits  of  information  from  a to  p>  and  that  is,  in  feet, 
correct.  The  set  of  values  possible  for  a represent  i£  bits  worth  of 

variety.  All  of  this  variety  can  be  conveyed  to  (3  by  execution  of  8.  After 
execution  of  8,  an  observer  of  (3  can  determine  all  (16  bits  worth)  of  the 
information  initially  in  a. 

Next  imagine  that  a is  known  to  be  a constant,  say  342.  No  Information 
is  transmitted  from  a to  0 . There  is  no  variety  in  a and  so  none  can  be 
transmitted  to  (3.  By  executing  8,  an  observer  of  0 can  find  out  c’s  value. 
But  ot’s  value  is  already  known!  No  information  is  transmitted  at  ail. 

In  a computational  system,  it  is  not  necessary  that  the  source  be 

constrained  to  be  constant  to  prevent  information  transmission.  Consider; 

£ j_f  a < 10  then  0 «-  0 e I se  (3  «-  1 

If  it  is  known  that  a is  a I wags  less  than  10,  then  again  no  information  is 
transmitted  from  o to  <3.  Execution  of  £ will  always  set  0 to  0,  regardless 
of  the  value  of  a (given  that  a is  less  than  10).  If  a is  not  so 
constrained,  then  one  bit  of  information  can  be  transmitted  from  a to  0. 
That  bit  (detected  by  determining  whether  0 is  0 or  1 after  execution  of  S) 

indicates  whether  or  not  o is  initially  less  than  10.  Without  the  constraint 

"a  is  less  than  10",  some  information  about  the  variety  of  or  can  be 
transmitted  to  |3.  With  it,  none  is  transmitted  at  all. 

Imagine  picking  some  state  erl  and  then  some  other  state  o2  that  is  just 
like  ol  but  arbitrarily  varies  from  it  in  its  value  at  a.  Suppose  history  H 
is  then  executed  and  it  is  found  that  the  values  of  0 are  the  some 
regardless  of  whether  or  not  H was  executed  in  state  ol  or  o2.  The  variety 
in  a has  no t been  transmitted  to  (3  since  the  resulting  value  of  0 is  the 
same  in  both  cases. 

Nou  suppose  that  for  any  pair  of  states,  ol  and  o2,  that  differed  only  at 
a,  execution  of  H would  result  in  identical  values  for  0.  Then  under  no 
c ircumstances  could  any  of  a's  variety  be  conveyed  to  0 by  executing  H.  No 
information  could  be  transmitted  from  a to  0.  Formally 
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>>  Def  2-11  No  information  is  transmitted  from  a to  0 by  H i f f 

(Vorl,o2M  ol  . o2  z>  H(ol).0  - H(o2).0  ) 
a 

(note  from  section  1.2  that  ol  = o2  means  that  crl  and  o2  must  be  the 

a 

same  except  for  the  value  of  o) 

Ule  have  already'  seen  that  if  the  values  of  certain  objects  are  known  to 
be  appropriately  constrained  (e.g.  a is  less  than  10),  then  no  information 
can  be  transmitted.  Ue  can  represent  this  constraint  by  <P.  For  example 

'P(a)  s a.  a < 10 

If  the  variety  among  the  states  is  known  to  be  constrained  by  the 
pairs  of  states  chosen  as  described  above  need  only  be  chosen  from  those 
that  satisfy  V (e.g.  - those  in  which  a is  less  than  10). 

>>  De  f 2-21  ol  ¥ o2  i f f 
a 

'P(orl)  a al  = o2  a ( o2 ) 
a 

Ue  might  then  argue  (not  completely  correctly  as  we  shall  discover  in 
chapter  5)  that,  if  a system  is  initially  constrained  by  <P,  then  no 
information  is  transmitted  from  o to  0 by  execution  of  history  H as  long  as 

(Vol , o2) ( ol  t o2  a H(ol).0  = H(o2).0  ) 
a 

Sec t i on  2.3 Strong  Dependency  (strdep: J 

In  this  section,  we  introduce  the  notation  of  Strong  Dependency. 

>>  De f 2-31  ol  and  o2  differ  only  at  a and  differ  at  0 after  H 

ol  \\  o2  e,  ( ol  = o2  a H(ol).0  * H(o2).0 
a 0 ueT  a 


r 


- 


- 
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>>  De f 2-41  /3  strongly  depends  on  a after  H 

a 0H  0 »def  (3ol.o2)(  cl  aCjJ  o2  ) 

By  comparing  this  definition  with  that  of  2-1  above,  we  see  that 

fiH 

a [>  a iff 

information  can  be  transmitted  from  a to  (3  by  H 

In  other  words,  Strong  Dependency  is  a formal  definition  of  Information 
transmi ssion. 

He  have  formalized  transmission  of  information  from  one  object  to 
another.  It  is  often  useful  to  think  of  the  source  of  information  as  a sal 
of  objects.  For  example,  in 

8:  |3  ♦-  al  + a2 

we  might  want  to  say  that  information  is  transmitted  from  the  set  of  objects 
lal,o2l  to  0.  Ue  extend  the  above  definitions  quite  easily. 

>>  Def  2-51  cl  and  c2  differ  only  at  A and  differ  at  (3  ader  H 

cl  a<£  o2  sdef  cl  = c2  n H(ol).0  x Htc2l . (3 

>>  De f 2-63  0 strongly  depends  on  A after  H 

A |>H  (i  adef  Gol,o2)(  cl  AC>J  c2  ) 

The  reader  may  wonder  whether  it  is  possible  to  find  that  information  is 
transmitted  from  some  set  of  objects  A to  0 and  yet  find  that  the  objects  in 
a taken  sigly  do  not  transmit  information  to  0.  That  is  not  the  case  in  the 
example  above.  Ue  find  both  that 

Ial,a2l  IP  |3  as  wel  I as 

crl  (i  and  a2  H>  (3 


■MWUfMf 
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In  general,  if  A |P  (3  and  or  (where  a c A ) plays  any  part  in 
affecting  the  value  of  (S,  we  will  find  that  a /3.  A formal  proof  of 

this  statement  requires  an  information  theoretic  argument  that  is  part  of 
work  in  progress  (section  7.4).  [ For  other  comments  on  this  example,  see 

section  7.2.  ] 

,vH 

Using  Strong  Dependency  alone,  we  can  show  if  A [f>  (3,  at  least  one 
object  in  A transmits  information  to  0.  Formally 

Theorem  2-1) 

H H 

A 0 a O Gac A)  ( oc  0 <3  ) 

Formally  we  say  that  information  can  be  transmitted  from  A to  ^ in  a 
system  if  it  can  be  transmitted  from  A to  (3  over  some  history.  Ue  define 

>>  Def  2-7]  (i  strongly  depends  on  A 


a 0 a 


(3H)  ( A U>  (3  ) 


Section  2.4  Strong  Dependency  with  Initial  Constraints 


tstrphi : ] 


In  this  section,  we  extend  the  Strong  Dependency  formalism  to  cover  those 
cases  where  the  variety  in  the  state  space  is  constrained  by  some  'P.  Ue 
extend  the  formalization  exactly  as  we  expanded  definition  2-1  above. 

>>  De f 2-8J  ol  and  o2  are  constrained  by  <P  and  are  equal  except  at  A 


ol  = o2  Eqef  'PI  cl)  a ol  = o2  a $(02) 
A A 


>>  De f 2-9]  ol  and  o2  differ  only  at  A and  differ  at  /3  after  H given  $ 
ol  A<>0  o2  ■def  ol  = o2  a H(ol).(3  x H(o2).|3 
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>>  Def  2-10]  0 strongly  depends  on  A afte*  H given  <9 

A 0*  0 -d0f  (3ol , o2)  ( ol  JCjJ  °2  ) 

>>  Def  2-11]  0 strongly  depends  on  A given  <9 

A -def  <3HM  A ) 

Intuitively,  no  matter  how  a system  is  constrained,  if  0 depends  upon 

some  set  of  obiects  A1  which  is  included  in  A2,  then  0 should  depend  upon  4<_ 
as  ue I I , for  A2  provides  at  least  as  much  information.  Formally 

Theorem  2-?]  (proof  left  to  reader) 

H H 

A1  5 A2  d.  A1  0^  0 o A2  0>p  0 

If  0 depends  upon  A given  <91,  and  if  <92  permits  more  variety  in  the 

system  than  does  <91,  there  is  more  opportunity  for  information  transmission, 
thus  0 should  depend  upon  A given  <92  as  well.  Formally 


=•  » tf  = A I! 

<91  S <P2  6def  (Vct)  ( <91  (o)  o <92 (a)  ) 

Section  2.5 Reflexivity  [rflx:] 

In  this  section  ue  explore  the  reflexivity  of  Strong  Dependency.  He  show 
that  it  may  not  be  reflexive  over  execution  of  some  history  if  that  history 
causes  the  value  of  some  object  to  be  written  over.  We  shou  that  <t  is  not 
reflexive  over  the  empty  history  if  some  object  initially  exhibits  no 
var i e ty. 

Strong  Dependency  may  be  reflexive.  Consider  a system  in  which  both  a 
and  0 are  16  bit  integers  and 


Theorem  2-3] 
<91  c <92 
(notes 


1 
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S:  (S  *-  a 

We  find  that  a a.  All  of  the  variety  initially  in  a remains  in  a after 
execution  of  &. 

However,  -»  (i  (S.  Over  execution  of  S,  the  original  contents  of  (i 
are  destroyed,  so  that  any  variety  among  possible  initial  values  of  0 will 
not  be  retained  in.  (or  conveyed  to)  0 after  execution  of  S.  In  fact,  any  of 
the  initial  variety  in  0 is  completely  lost  to  the  system. 

Dependence  is  generally  reflexive  over  the  empty  history,  except  where  an 
object  is  constrained  so  that  it  may  only  contain  a single  value.  If 

<f>(c)  s o.  a = 37 

we  find  that  o ^ a but  -■  a |jp  a 

The  constraint  <P  eliminates  any  of  the  variety  in  a.  If  a does  admit 
variety,  then  certainly  that  variety  will  not  be  destroyed  over  the  empty 
history.  But  if  a is  constrained  so  that  no  variety  is  there  initially,  the 
empty  history  will  not  convey  any  new  variety  to  a. 

If  eliminates  the  variety  in  some  set  A,  then  no  information  can  be 
transmitted  from  A to  any  object  over  any  history.  If  there  is  no  variety 
in  A,  there  is  none  to  be  conveyed.  Formally, 

Theorem  2-41 


(VcAA)  ( -,  A [J>p  a ) d (V0)  ( - A |J>  0 ) 

Finally  we  note  that  any  information  transmission  over  the  empty  history 
must  be  reflexive.  If  no  operation  is  executed,  no  real  (non-reflexive) 
information  transmission  can  take  place. 

Theorem  2-5] 


A B>p  0 d a A A 


I 
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Section  2.6  Autonomy  [autonomy:] 

In  this  section,  ue  discuss  a class  of  constraints  on  the  initial  state  we 
call  autonomous.  In  chapter  6,  we  show  that  the  Strong  Dependency 
formalism  corresponds  to  our  intuitive  notion  of  information  transmission  for 
autonomous  constraints,  whereas  it  may  not  for  non-autonomous  constraints. 

Autonomous  constraints  restrict  the  variety  in  each  object  independently 
of  the  values  of  other  objects.  Non-autonomous  constraints  ind.cate 
relationships  among  the  values  of  different  objects.  For  example. 


<P(o) 

E 

o.a  < 

10 

A 

(o.|3  s 6 mod  ID  is  autonomous 

<P(o) 

S 

a. a < 

10 

A 

o.(J  < 10  is  autonomous 

'P(o) 

2 

(Vx)  ( 

o.x 

< 

10  ) is  autonomous 

'P(ct) 

a 

o.  (3  = 

o.a 

+ 

10  is  non-auton.mous 

'PC  o) 

s 

o.a  < 

10 

D 

o.(3  = 4 is  non-autonomous 

For  now,  we  can  think  of  autonomous  constraints  as  a conjunction  of 
conditions,  each  condition  independently  constraining  the  value  of  a single 
object.  A formal  definition  of  autonomy  can  be  found  in  section  5.4. 

Though  autonomy  seems  quite  a strict  condition,  it  ooes  model  a number  of 
common  useful  situations.  For  example,  in  [Cohen  763  , we  consider  the 
problem  of  guaranteeing  that  a set  of  "sensitive"  objects  can  only  be 
altered  by  certain  processes  executing  verified  programs.  Ihe  initial 
constraint  on  the  protection  state  that  guaranteed  that  the  condition  held 
was  quite  complex,  but  autonomous  nonetheless. 

Autonomous  predicates  are  useful  for  "typing"  objecs.  One  might 
partition  objects  on  some  basis.  For  example,  !nt(x)  might  be  true  if  x 
were  to  represent  an  integer,  while  Smallint(x)  might  characterize  small 
integers.  An  autonomous  <P  might  then  require  that  objects  representing 
small  integers  have  small  integer  values.  Formally 

<P(o)  a (Vx)  ( Smallint(x)  a -16  < o.x  < 15  ) 


Alternately,  each  object  might  itself  contain  a designation  of  its  own 
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type  as  well  as  It’s  value.  The  corresponding  autonomous  constraint  might 
then  be.* 

'P(o)  s (Vx) { o.x.type  = "smallint"  o -16  < o.x. value  S 15  ) 

The  cons iderat ion  of  non-autonomous  constraints  adds  a certain  complexity 
to  the  analysis  of  information  transmission.  As  we  noted  above,  Strong 
Dependency  does  not  necessarily  correspond  to  information  transmission  for 
non-autonomous  constraints. 

In  section  2.3,  we  extended  the  formalism  of  strong  dependency  to  allou 
the  source  of  information  transmission  to  be  a set  of  objects.  He  showed 
that,  if  information  is  transmitted  from  a set  of  object  A to  (3,  then  at 
least  one  of  the  objects  in  A must  itself  be  a source.  This  remains  true 
even  if  we  autonomously  constrain  the  system. 

Theorem  2-61 

If  is  autonomous  then 

A |>”  0 3 Oat  A)  I a 0*  (3  ) 


Strong  Dependency  f 3 ) 


Chapter  3 - Solving  information  Problems  tinfsivs] 


page  20 


Section  3. 1 


Introduction  [] 


"...the  subject  matter  of  Cybernetics  is  not  events  or  objects  but 
the  information  "carried"  by  events  and  objects.  We  consider  the 
objects  or  events  only  as  proposing  facts,  propositions,  messages, 
precepts,  and  the  like." 


Gregory  Bateson 


"Cybernetic  Expianat  ion1. 


In  this  chapter  we  discuss  information  problems,  problems  concerned  with 
preventing  information  transmission  in  computational  systems.  Using  the 
Strong  Dependency  formalism,  we  define  two  well  known  information  problems, 
the  Confinement  Problem  and  the  Security  Problem. 

Ule  discuss  maximal  solutions  and  consider  information  transm  ssion  as  a 
criteria  for  evaluating  and  comparing  solutions  to  problems. 


Section  3.2  Constraint  as  Solution  [consol:] 


In  [Cohen  761,  we  argue  that  problems  in  computat ional  systems  can  be 
solved  by  finding  a way  to  constrain  the  states  in  which  the  system  is 
initially  permitted  to  operate.  We  characterize  appropriate  initial 

constraints  by  a predicate  X.  For  example,  the  solutions  to  the 

enforcement  problem  ^problem  ^section  1.4)  can  be  charactsrized  by 

X(<f>)  = <P  enforces  fprob|em 

If  A U>  (3  and  - A 0,  then  <P  can  be  viewed  as  a solution  to 

the  following  problem:  Find  a way  to  guarantee  that  no  information  is 

transmitted  from  A to  0.  The  solutions  to  this  problem  may  be  defined  by 

X('P)  = - A 0 

Suppose  we  wanted  to  guarantee  that  no  information  could  be  transmitted 
from  a to  0 in  the  system 


— "■ — — 


mmm 
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'P(cr)  s -o.m 

for  by  initially  constraining  states  to  those  in  which  m is  false,  we 
guarantee  that  execution  of  & will  have  no  effect  on  0.  However  there  is 
another  solution 


•P(o)  = o.a  = 13 

By  constraining  a to  be  13,  no  variety  remains  in  a and  none  can  therefore 
be  transmitted  to  0.  We  can,  if  we  so  choose,  eliminate  such  solutions  by 
requiring  that  <P  be  independent  of  o,  that  is,  by  requiring  that  the  value 
of  a have  no  effect  upon  the  truth  of  <P.  Formally  we  can  define 

>>  Qe.L  3-11  <P  is  A- independent  i f f 

(Vol  o2)  ( ol  = o2  d.  <P(crl)  = <P(o2»  ) 

A 

The  problem  of  guaranteeing  that  no  information  is  transmitted  from  a to 
0 can  then  be  redefined  as 

X (f ) s - a 0 a f is  a- independent 


Sec t i on  3.3  — Initial  and  Invariant  Constraints  tinfinv:] 

In  this  section,  we  explore  the  difference  between  invariant  and 
non- i nvar i ant  constraints. 

When  we  describe  a problem  as  X ('PI  , <P  only  represents  an  i n i t i a I 
constraint,  no’  necessarily  an  invariant  one.  Likewise,  uhen  we  indicate 
that  some  constraint  on  the  variety  in  an  object  may  prevent  information 
transmi ssion,  that  constraint  is  just  an  initial  constraint  as  well  (section 
2.4).  Consider  the  problem 


Strong  Dependency  ( 3.3  ) 


page  22 


X(*)  * - a B>p  0 

in  the  system 

SI ; i_f_  f I ag  then  0 «-  a el  se  0 0 

82:  ( f I ag  «-  1 1;  a *-  x ) 

A solution  to  this  problem  (that  is  a-independent  as  ue!l)  is 
’P(o)  a -o.  flag 

If  flag  is  false,  then  execution  of  SI  does  not  transmit  Information 
from  a to  0;  it  aluays  sets  0 to  0.  However  P is  not  invariant.  Execution 
of  82  sets  flag  to  true.  Subsequent  execution  of  SI  uou  I d transmit 
information  from  a to  0.  Nonetheless  f is  a solution,  for  execution  of  82 
also  destroys  the  information  initially  contained  in  a by  overwriting  it  with 
x.  So  while  subsequent  execution  of  SI  uill  permit  0 to  reflect  the  most 
recent  value  of  a,  it  reflects  nothing  of  a’s  i n i t i a I value. 

Hence,  if  ’P  is  a solution  to  the  problem 

X(«P)  a - a U>p  0 

then  in  general,  is  only  an  ini  t i a I but  not  invar  iant  constraint  and 

guarantees  only  that  no  information  initial  I u contained  in  a can  be 
transmitted  to  0.  Values  placed  in  a af ter  execution  of  some  history  may 
have  an  effect  on  the  value  of  0. 


Sec t i on  3.4 Examples  of  Information  Problems  Ixmplinfo:] 

A simple  version  of  the  Confinement  Problem  (Lampson  731  can  now  be 
stated.  Suppose  that  Confined(x)  if  x is  the  name  of  an  object  initially 
containing  information  that  is  to  be  confined.  Suppose  that  Spy(x)  if  x 
names  an  object  to  which  this  confined  information  must  not  be  transmitted. 
Ue  can  define  the  Confinement  Problem  as  (also  see  section  7.5) 

X(<P)  s (Va,0)  ( a ^ (3  o.  ConfinecHa)  d -Spy(0)  ) 
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That  is,  find  some  constraint  that  reduces  information  transmission  in  the 
system  so  that,  if  information  is  transmitted  from  a to  0,  and  a i9 
confined,  then  0 must  not  be  a spy. 

A solution  to  the  Security  Problem  [Case  74]  would  guarantee  that 
information  is  never  transmitted  from  one  object  to  a second  object  at  a 
lower  security  classification  than  the  first.  Ue  can  define  the  Security 
Problem  as 

X(«P)  s (Va,0)(  a n>p  0 Cls(a)  <Cls(0)  ) 

where  Cls(x)  is  the  classi  f ication  of  x.  In  [Case  74],  <P  is  referred  to 
as  the  requirement  for  a "secure  system". 

[ Note  that  as  in  [Denning  75],  the  c I ass i f i ca t i on  need  not  be  a 
single  value,  but  could  be  a vector  of  clearance/classification 
values,  in  which  case  "<"  would  describe  a partial  rather  than  a 
total  order.  ] 


Sec t i on  3.5 Maximal  Solutions  [maxsolj] 

Ue  say  a solution  is  max  i ma  I if  it  is  less  restrictive  (allows  more 
initial  states)  than  any  other  solution.  Information  problems  do  not 

necessarily  have  unique  maximal  solutions. 

A maximal  solution  for  a problem  is  unique  if  the  problem  can  be  shown  to 
satisfy  the  Jo i n proper tu  [Cohen  70.  That  is,  if 

X('F1)  a X('P2)  a X(  <P  1 v <P2  ) 

for  then  the  maximal  solution  would  be  the  join  of  all  the  solutions 
,(,max  s ''«<’!  X«P)  I 

However,  solutions  to  information  problems  do  not  satisfy  the  join 
property.  For  example,  consider  the  problem 
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X (<P)  s \ a J>p  a 
in  the  system 

b . if  m then  0 ♦-  a 
One  solution  to  X is 

<Pl(o)  = o.a  = 13 

If  a is  constrained  to  be  a constant,  no  information  is  transmitted  to  0. 
Any  constant  will  do,  so  another  solution  is 

^2  { ct ) s o.a  = 74 

Houever,  the  join  of  these  solutions 

( <P1  v <P2  ) (a)  s o.a  = 13  v o.a  = 74 

is  no t a solution,  for  ( <P1  v *P2  ) does  allow  variety  in  a to  be 
transmitted  to  0 by  execution  of  b.  Since  the  join  property  does  not  hold, 
problems  may  not  have  unique  maximal  solutions.  Consider  the  system 

S:  j_f  a < 10  then  0 *-  8 el  se  (!  ••  1 

The  problem  X (*P)  3 - a (J  is  solved  by  both  *P1  and  'P2,  uhere 

'PI  ( 0)  s 0. a = B 

■P2  ( 0 ) a 8 < cr . a < 1 0 

A maximal  solution  containing  both  of  these  solutions  is 

fmax(o)  3 s 10 

A different  maximal  solution  is 


Strong  Dependency  ( 3.S  ) 


page  25 


• In  neither  case  can  a less  restrictive  solution  to  X he  found.  In  both 
cases.  'Pri)c-)X  solves  X by  guaranteeing  that  the  resulting  value  in  ft  after 
execution  of  S is  a I nays  the  same.  It  is  always  0 for  the  first  maximal 
solution,  and  it  is  always  1 for  the  second  maximal  solution. 

By  requiring  independence  (definition  3-1),  we  can  formalize  problems 
whose  solutions  do  satisfy  the  join  property  and  therefore  have  unique 
maximal  solutions. 

Theorem  3-11 

I f X (<P)  s A 1^,  ft  a 'P  is  A- independent 

then  X(<P1)  a X C«P2 ) o.  X ( <P1  v <P2  ) 

Consider  the  system  (see  section  1.3) 

b:  if  sc  <x,x>  Arc  <x,o>  a w c <x,f}> 

then  ft  «-  o 

There  is  a single  maximal  solution  to  the  problem 
X (’P)  h - a (J>p  ft  a P is  a- independent 


It  is 


'Pn,ay(t»)  a s s'  <x,x>(o)  v r <x,a>(o)  v w 9 <x,(3>(o) 


Section  3.G  Comparing  Solutions  [infsuf:! 

"Variety,  within  the  limits  of  satisfactory  constraints,  may  be  a 
desirable  end  in  itself..." 

Herb  Simon  "The  Sciences  of  the  Artificial" 

In  (Cohen  7GI  , we  argue  that  solutions  to  problems  should,  in  general,  be 
as  unr es tr ic t i ve  as  possible.  That  is,  one  should  strive  to  obtain  maximal 
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solutions  to  problems.  Vet  in  many  cases,  solutions  that  are  not  maximal 
may  be  as  good  in  certain  respects  as  those  that  are  maximal.  He  uould  like 
to  find  measures  that  characterize  the  worth  of  a solution,  which  would 
indicate  that  certain  non-maximal  solutions  are  as  worthy  as  those  which  are 
maximal.  In  this  section,  we  will  show  that  Strong  Dependency  may  be  an 

appropriate  base  for  just  such  a measure. 

Consider  the  problem 

X (<P)  s -a  0>,  0 a <P  is  a- independent 

in  the  system  (see  section  1.3) 

Sis  j_f  s c <x,x>  a r ( <x,cr>  a w f <x,0> 

then  0 *■  a 

S2:  j_f  s c <x,x>  a r c <x,m>  a u t <x,0> 

then  0 *-  m 

. A maximal  solution  is  (see  section  3.5) 

( a ) s s f <x,  x>  (a)  v r ? <x,ct>(o)  v w * <x,0>(a) 

max 

Another  solution  (more  restrictive  than  fma><  ) is 
<P1  ( o ) s r 4 <x,  a>  (a) 

While  <P1  is  stricter  than  ^gy,  the  two  share  an  important  property. 

They  prevent  information  transmission  from  a to  0 but  prevent  no  other 

inf  rmation  transmission  (for  example  from  m to  0) . Contrast  those 

solutions  with  the  solution  (also  contained  in  ^gy  ) 

ip2  ( o I s s y <x,  x>  ( o)  v u f <x,|3>  (o) 

which  prevents  information  transmission  from  x to  0 as  well.  Ue  will  develop 

a criteria  that  indicates  that  >P1  is  as  worthy  a solution  for  X as  <Pmay 

while  ‘P2  is  not,  by  formalizing  the  determination  of  which  information  paths 
are  eliminated. 
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First,  let  us  take  a moment  and  explore  the  difficulty  of  comparing 
solutions  quant  i tat  i vely.  He  might  argue  that  one  solution  is  as  good  as 

another  if  it  allows  more  bits  of  information  to  be  transmitted  in  the 
system.  Suppose  that  a,  (3,  tl,  t2,  ml  and  m2  are  all  16  bit  non-negative 
integers.  Consider  the  system 

bl : ml  «-  tl 

82:  m2  <-  t2  . 

83:  jj_  tl  > 4 a t2  > 256  then  (3  *-  a 

The  problem 

x ('p)  - a 0>p  a 

can  be  solved  by  either  <P1  or  <P2  where 

■PI  ( o)  h o.  tl  < 3 

■P2  ( o ) = o.  t2  < 255 

He  might  think  that  <P2'  is  a better  solution  since  it  only  reduces  t2's 
variety  to  8 bits  while  <P1  reduces  tl’s  variety  to  2 bits  worth.  This  kind 
of  analysis  is  uncomfortable  for  a number  of  reasons.  First,  numeric  values 
give  no  sense  of  the  relative  importance  of  the  information  in  tl  and  t2. 
Secondly,  to  formally  assign  a bit  value  to  the  amount  of  information 
transmitted  we  really  need  to  know  the  probability  of  each  initial  state  and 
the  probability  of  each  behavior  in  the  system  (see  section  7.4). 

Hr  opt  for  a qualitative  rather  than  quantitative  measure  of  worth.  He 
will  measure  the  worth  of  a solution  in  terms  of  whether  or  not  information 
can  be  transmitted  at  all.  Formally,  we  define  the  worth  of  a solution  as 
the  set  of  information  paths  permitted  in  the  system  when  constrained  by  the 
solut ion. 

Worth  CP)  5 I <A,0>  I A U>p  0 I 

If  ue  order  these  worths  by  whether  one  is  a subset  of  the  other,  then  we 
find  that 
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Uorth('Pl)  < Uortht'PZ)  i f f 
(VA,0)  ( A ^ (J  o A 0^  0 ) 

In  [Cohen  76]  , we  note  that  measures  of  worth  should  ordinarily  be 
monotonic.  Formally 

>>  Def  3-21  <Uorth,<>  is  a monotonic  measure  i f f 
<P1  5 <P2  o.  Uorth(fl)  < Uorth(f2) 

That  is,  if  one  solution  to  a problem  is  less  restrictive  than  another,  it 
should  be  at  least  as  worthy.  Ue  show  in  [Cohen  76]  that  if  a problem  has  a 
unique  maximal  solution,  that  it  is  the  worthiest  solution  relative  to  any 
monotonic  measure . From  theorem  2-3,  it  ‘19  clear  that  this  measure  of  worth 
is  a mono  tonic  one. 

According  to  the  measure  of  worth  we  have  defined,  two  solutions  are 
equally  worthy  if  neither  eliminates  an  information  path  permitted  by  the 
other . 
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Chapter  4 - Strong  Dependency  Induction  [strind:] 


Sec t i on  4.1 Introduction  [] 


In  this  chapter,  ue  discuss  Strong  Dependency  Induction,  an  inductive 
proof  technique  for  proving  the  correctness  of  solutions  to  information 
problems.  Ue  confine  our  attention  to  solutions  which  are  both  autonomous 
and  invariant,  treating  more  general  cases  in  chapters  5 and  6. 

Ue  find  that  Strong  Dependency  Induction  is  not  useful  unless  the  Strong 

Dependency  relation  is  transitive.  Ue  introduce  another  technique,  which  we 

\ 

call  Separation  of  Variety,  in  order  to  extend  Strong  Dependency  Induction 
to  the  non- tronsi t i ve  case. 

Sec t i on  4.2 Transmission  Through  Intermediate  Objects  [invar:] 


The  reader  might  imagine  that  if  informat  ion  is  transmitted  from  a to  0 by 
SI  82  in  some  system,  there  should  be  some  intermediate  object  m (possibly 
the  same  as  a or  0 in  degenerate  cases)  such  that  SI  transmits  information 
from  c<  to  m and  82  transmits  information  from  m to  0.  For  example,  in  the 
system 

8 1 : m ♦-  ot 

82:  0 ♦-  m 


*81  82 

0 a 


and 


*81 

ci  m 


and 


*82 

B>  (5 


This  intuition  is  exactly  right  and  holds  more  generally  when  the  system  is 
initially  constrained  by  an  autonomous  invariant  constraint. 


Theorem  4-1] 


If  i s autonomous  and  invariant  then 

HH*  H H* 

« ^ 0 3 (3m)  ( o d>  m a m U>  0 ) 
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Th's  is  the  basic  induction  theorem  for  information  transmission,  although  in 
later  sections  ue  will  develop  more  general  proof  techniques.  Ue  will  find 
the  following  corollaries  useful: 

Cor o I I aru  4-2] 

If  'P  is  autonomous  and  invariant  and  a * (i  then 
(Vmxo,  S)  ( - a l^p  m ) v (Vm*0,  S)  ( - m (3  ) 

3-  - a 0 

That  is,  if  either  no  operation  can  transmit  information  from  a to  any  other 
object  or  no  operation  can  transmit  information  from  any  other  object  to  0 , 
then  information  cannot  be  transmitted  from  a to  (5.  Another  useful 
corol I ary  is 

Coro  I I aru  4-3] 

If  <P  is  autonomous  and  invariant 
and  q is  reflexive  and  transitive 

( q reflexive  - ( Vx ) ( q(x,x)  ) 

q transitive  - q(x,y)  a q(y,z)  D.  q(x,z)  ) 

nJ> 

then  (Vx,y,  S)  ( x y d q(x,y)  ) 

D.  (Vx,y)  ( x y a q(x,y)  > 

Using  these  corollaries,  we  need  only  analyze  information  transmission 
over  the  set  of  all  operations  rather  than  over  the  set  of  all  histories. 

The  last  corollary  is  especially  useful  for  the  Security  Problem  (section 
3.4)  which  requires  a solution  guaranteeing  that  whenever  information  is 
transmitted  from  a to  (5,  (3’s  classification  must  be  no  less  than  ci's.  The 
problem  can  be  formally  stated  as 

XCP)  * (Vo.fJM  a U>p  0 o.  Cls(a)  < Cls(0)  I 


where  Cls(x)  is  the  classi  f icat  ion  of  x. 


k 
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q(x,y)  s Cls(x)  < C I s ( y ) is  an  example  of  a transitive,  reflexive  q. 
By  corollary  4-3,  if  <P  is  autonomous  and  invariant,  we  only  need  show  that 
no  opera  t * on  can  transmit  information  from  one  object  to  another  at  a lower 
classification  (when  the  system  is  constrained  by  to  show  that  the  system 
is  secure.  That  is,  we  need  only  show  that 


(V&.ci,0)  ( 


°8>> 


Cl  s (a)  < C I s (0) 


Uhen  or  IP  (3  is  read  as  "information  flows  from  a to  0 over 
this  corollary  provides  a formal  basis  for  the  work. 
(Denning  75]  that  describes  information  flow  in  systems  where 
statically  assigned  classifications. 


execution  of 
discussed  in 
objects  have 


Sec  t i on  4.3  An  Example  of  Strong  Dependency  Induction 

[invxmpl j ] 

In  this  section,  we  will  present  a detailed  example  showing  how  Strong 
Dependency  Induction  may  be  used  to  solve  an  information  problem. 

Imagine  a system  where  each  object  contains  data  as  well  as  a single 
pointer  to  another  object:  The  system  has  two  sets  of  operations: 

&l(y,x):  rf  y.ptr  = x then  y.data  «-  x.data 

&2(y,x):  |_f  y.ptr  = x then  y.ptr  *-  x.ptr 

If  y points  to  x,  then  execution  of  Sl(y,x)  will  copy  data  from  x to  y.  If 
y (joints  to  x and  x points  to  w,  then  after  execution  of  82(y,x),  y will 
point  to  w,  as  illustrated  below. 


I 
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Ue  will  consider  the  problem  of  trying  to  guarantee  that  information  from 
a particular  object  a cannot  be  transmitted  to  soflve  other  object  jJ.  That 
ie: 


X(4>)  - -<*0^0 


Ue  will  show  that  if  there  is  no  chain  of  pointers  from  ft  to  a,  then  no 
information  can  be  transmitted  from  a to  (3. 


Ue  divide  the  objects  into  two  sets,  those  that  point  through  some 
of  objects  (possibly  of  length  zero^  to  or  and  those  that  do  not,  Ue 
characterize  the  former  by  the  predicate  Chain,  so  that  Chaintal 
-Chain  (|3) . ^ — — — ■ ^ 

ex'  \ 


chain 
ui  I I 
and 


Ue  argue  that  if  (1  does  not  initially  point  to  a,  then  no  information  can 
be  transmitted  from  a to  (3.  First  we  show  that  the  initial  constraint  ’P 
guarantees  that  |3  does  not  point  to  or,  where  is 

<P(o)  a (Vy)  ( Chain(o.y.ptr)  o Chain(y)  ) 

Ue  will  write  points  (y,  x,  n)  ( o)  to  mean  that  there  is  a chain  of 
pointers  of  length  n from  y to  x in  state  o.  Formally,  we  can  define  points 
recursively  as 


points (y, x, 0) (o)  <==  y = x 

points  (y.  x,  n+1  Mo)  <== 

(3m) ( o.y.ptr  = m a points (m, x, n) ( o)  ) 

A straight  forward  induction  on  n shows  that 

i 

TMo)  d (Vn)  ( points (y, x, n)  ( o ) o. 

Chain  (x)  d Chain(y)  ) 

Since  Chain (a)  and  -Chain(0),  we  conclude  that 

•No)  d (Vn)  ( -points (0, a, n) (o)  ) 

That  is,  >P  guarantees  that  (3  does  not  point  to  a. 

"P  is  autonomous.  Ue  next  show  that  'P  is  invariant.  81  has  no  effect  on 
pointers,  so  we  need  only  consider  82.  Given  that  'P(o)  holds,  we  will  show 
that  for  arbitrary  p and  g,  <P(82(q,p)  (o) ) holds. 


1] 

Given  <P  ( o ) 

21 

Assume  Chain!  82 (q, p) ( o) . y. ptr  ) 

3) 

Case  1 g 

* q 

4] 

Chain ( 

o.y.ptr  ) (2,3,  Def  82  ) 

5] 

Case  2 u 

= q,  o.y.ptr  * p 

61 

Chain  ( 

o.y.ptr  ) (2,5,  Def  82 

7) 

Case  3 y 

« q,  o.y.ptr  = p 

8) 

Cha  i n ( 

o.p.ptr  ) (2,7,  Def  82  ) 

sn 

Chain  I 

p ) (1.8) 

10] 

Chain ( 

o.y.ptr  ) (7,9) 

111 

Cha in ( o.y 

. p t r ) (3-4,5-6,7-10) 

12) 

Chain  ( y 

) (11,1) 

1 3) 

<P(  82 ( q , p ) (o)  ) (2-12) 

Next  lie  pick 

c|(x,y)  = Chain (x)  o Chain (y) 


noting  that  q is  both  reflexive  and  transitive.  Ue  next  show  that 
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(YS,x,y)(  x y d q(x,y)  ) 

_S 

1]  Assume  x |p>p  y where  S b 81  (q . p ) 

2]  Assume  Chain(x) 

3]  Gol , o2)  ( ol  O o2  ) 111 

x y 

4]  ol  = c2  a 8 ( ol ) . y * 8 ( o2 ) . y 13] 

x 

5J  ( al.y.ptr  = x v cr2.y.ptr  = x ) [4,  1 (def  of  8)  3 

61  Chain(  ol.y.ptr  ) v Chain(  crZ.y.ptr  ) 15,23 

7]  <P(ol)  a <P(o2)  (33 

83  Chain  I u 3 [G ,73 

The  proof  for  82  is  exactly  the  same.  Since  q is  transitive  and  reflexive, 
and  •P  is  autonomous  and  invariant,  by  corollary  4-3,  we  can  show  that 

(Vx,y)  ( x ||>p  y o q(x,y)  ) 

Since  Chain(a)  and  -’Chain((3),  this  result  shows  (see  the  definition  of  q 
above)  that 

This  shows  that  f is  a solution  to  X.  If  there  is  no  chain  of  pointers 
from  (3  to  a,  then  information  cannot  be  transmitted  from  a to  (3. 

Sec t ion  4.4 Transitivity  (trans:3 

In  this  section,  we  show  that  the  useful  application  of  Strong  Dependency 
Induction  requires  that  Strong  Dependency  be  transitive. 

In  the  system 

81 : ii.  q then  m «-  a 

82:  j_f  ->q  then  (l  *-  m 


We  can  show  directly  that  the  problem 


m 
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rv&l&2 

XCP)  . a |>f  a 

con  lie  solved  by  the  always  true  solution,  'P(o)  = tt.  That  is,  for  any 
two  states  initially  differing  only  in  a,  after  execution  of  SI  82 , the  value 
of  (3  will  he  the  same  for  both. 


However,  to  prove  this  result  by  Strong  Dependency  Induction,  we  would 
have  to  show  that  either 

iv81  *82 

■’  a IP  in  or  - m IP  (3 
But  both 

IK81  iy.82 

a |P  m and  m |P  0 


The  difficulty  is  that  Strong  Dependency  is  not  transitive  in  this  system. 
Strong  Dependency  is  transitive  if 


ivH  -H’  -HH’ 

a [P  m a m IP  (?  o.  aj>  0 


Sec t i on  4.S Separation  of  Variety  [sepvar:] 

In  thin  section  we  introduce  a proof  technique  we  call  Separation  of 
Variety  which  can  be  used  to  extend  Strong  Dependency  Induction  to  cases 
where  Strang  Dependency  is  not  transitive.  Ue  explain  Separation  of  Variety 
by  considering  the  system 


8:  |i  a then  0 *-  1 1 e I se  0 <-  ff 


Uh  i I e 


o tt> V 


there  are  two  solutions,  'PI  and  <P2,  to  the  problem 


X('P)  s - a B>p  0 

'PI  ( a ) = o . a = 1 1 

^2  ( o ) s a . a = f f 


In  both  solutions,  we  prevent  transmission  by  reducing  the  variety  of  ct. 


M1"  tw 


— ^r-TF.I-a 
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Each  subset  of  2 characterized  by  PI  or  P2  still  exhibits  all  of  the 
variety  possible  in  a - and  in  each  ca  •»,  all  of  that  variety  can  still  be 
transmitted  to  (3.  Now,  let’s  consider  the  system 

i_f  m then  (J  «-  a 

We  find  that 

a (1  but  - 4^ 


'/jvCllAd  1 * ^ ^ ** 

Co  r u a.  ~j  * A ^ \ 


be.  '■'vti-itK)  % 


«h 


While  cr’s  variety  is  still  completely  exhibited  in  both  subsets  of  I 
char ac ter i zed  by  PI  and  P2,  PI  prevents  that  variety  from  being  conveyed  to 
(3.  However,  in  the  case  of  P2,  transmission  can  still  take  place. 

In  general,  if  we  split  the  state  space  in  any  way  along  partitions 
i ndependent  of  a,  in  at  least  one  of  the  cases  distinguished  by  the  split, 
cr’s  variety  can  still  be  conveyed  to  <3 . If  not,  there  would  have  been  no 
way  that  o’s  variety  ever  could  have  been  transmitted  to  0.  In  fact,  the 

i 

result  holds  for  a more  general  sort  of  division  of  the  9tate  space.  If 
PI , . . . , Pn  cover  2 along  l ines  independent  of  or,  then  a [J^,.  (3  for  at 
least  one  of  the  i’s.  We  defined  independence  (definition  3-1)  so  that 

j 

P is  A- independent  i f f 

I 

(Va,  a’)  ( a =■=  o'  o.  Plo)  s P(o’)  I 
A 

i 

That  is,  P is  A -independent  if  P in  no  way  constrains  the  value  of  any 

! 

i 
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object  in  A.  Next  we  define  an  A- independent  cover,  ; 
constraints  that  cover  I, 

>>  Def  4-1]  f 'P  i ) is  an  A- independent  cover  i f f 

(Vi)  ( 'Pi  is  A- i ndependent  ) /\ 

(Vr»3i ) ( <Pi  ( o)  ) 

Theorem  4-4) 

If  I 'Pi  1 is  an  a-independent  cover  then 

H H 

c J)  (1  d (3i)  ( a J>  a ) 

and  therefore 

a 0 ft  o (3i)  ( a tt>p.  0 ) 
hare  generally 
Theorem  4-5] 

If  ( 'Pi  I is  an  A-independent  cover  then 

ivH  Jl 

A h d * (3iK  A I>fA<pj  fi  ) 

and  therefore 

A tt>,  a D (3i>(  A S>fA<p.  a ) 

[ Note  ttiat  this  theorem  does  not  require  that  the  'Pi 
A-independent.  J 

The  theorem  suggests  the  following  proof  technique. 

- ° 0 

find  an  a-independent  cover  I 'Pi  I and  show  that 


set  of  A-independent 


’s  be  autonomous,  only 


To  show 
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Sect  ion  4.G An  Example  of  Separation  of  Variety  tsepxmpl:] 


We  Mill  illustrate  the  use  of  separation  of 
Strong  Dependency  Induction)  by  showing  that 


variety  (in  conjunction 
a (3  in  the  system 


Pick  the  o- independent  cover  ('Pl.'PZI,  where 


so  by  corollary  4-2 


Therefore,  by  theorem  4-5 


For  another  example,  consider  the  system  ("left 
to  be  disjoint  components  of  m) 


are  assumed 


He  must  show  that  for  each  'Pi,  no  information  can  be  transmitted  from  a to  0 
given  'Pi.  We  will  prove  this  for  each  'Pi  using  corollary  4-2.  This  requires 
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a proof  that  each  'Pi  is  invariant  and  that  given  'Pi,  no  operation  can 
transmit  information  to  0 from  any  other  object.  Each  'Pi  is  invariant  since 
82  does  not  modify  m and  81  only  modifies  m.  left.  Wot-;,  though  82  modifies  0 
by  copying  the  value  of  m2. right  into  (3,  when  <Pi  constrains  m2. right  to  be  a 
constant,  no  variety  is  conveyed  to  $ and  thus  no  information  is  transmitted 
to  0.  Since  81  does  not  affect  0 at  all,  no  operation  can  transmit 

information  to  0 from  any  other  object.  Formally 


(Vi)  ( 'Pi  is  a- independent  ) 

(Vo3i)(  'Pi(o)  ) [Rick  the  'Pi  so  that  c:.m.  right 

(Vi)(  <Pi  is  autonomous  I 

(Vi)  ( <Pi  is  invariant  I (left  to  reader] 

(Vi ) (Vx*/3.  8)  ( -•  x Q^p.  0 ) [left  to  reader] 

(Vi)  f 3,4,5,  Crlry  4-2  ] 

- a B>  0 l 1.2,6,  Th  4-S  ] 


r 
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Chapter  5 - Relatively  Autonomous  Constraints  Irelphi:! 

Sec t i on  5.1  Introduction  [) 

In  the  previous  chapters,  ue  confined  our  attention  to  autonomous 
constraints  so  that  ue  could  explore  the  basic  properties  of  Strong 
Dependency  - the  transmission  and  separation  of  variety,  and  the  definition 
and  solution  of  information  problems  using  Strong  Dependency. 

In  this  chapter,  ue  turn  our  attention  to  the  meaning  of  constraint.  In 
an  information  theoretic  sense,  constraint  has  tuo  meanings.  Ue  explored 
the  first  of  these  meanings  in  chapter  2,  uhere  ue  shoued  hou  constraint 
might  he  used  to  reduce  the  variety  in  a system,  thereby  preventing 
i n forma t i on  tr ansm i ss i on. 

Constraint  has  another  meaning  as  uell.  Non-autonomous  constraints 
establish  relations  among  the  values  of  tuo  or  more  objects.  As  a result, 
they  spread  the  source  of  transmitted  information.  For  example,  the 
cons  tr a i n t 

'P  ( a ) = cr . a < cr . m 

relates  the  initial  values  of  c<  and  m.  If  information  can  be  transmitted 
from  m to  (3,  information  may  be  transmitted  from  o to  (3  as  uell.  I < an 
obser  ver  of  (3  can  discover  something  about  m's  value,  then  0 might  discover 
something  about  a as  uell,  hy  knouing  the  relationship  betueen  a and  m. 

Ue  find  in  this  chapter  that  the  Strong  Dependency  formalism  is  not 
uholly  suited  to  dealing  with  non-autonomous  constraints.  [ Uork  in 
progress  (section  7.2)  is  directed  towards  that  goal.  J 

Ue  find  that  ue  can  continue  to  use  Strong  Dependency  for  certain 
non-autonomous  constraints.  If  ue  "clump"  a group  of  objects  together  and 
treat  them  as  a "pseudo  object" , then  a non-autonomous  constraint  may  appear 
to  be  autonomous  with  respect  to  that  "pseudo-object".  For  example,  if  we 
clump  a and  m together,  then  we  note  that  'P  is  autonomous  relative  to  the 
clump  In,  ml. 
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We  treat  clumps  formally  as  sets,  call  the  related  constraints, 
relatively  autonomous,  and  extend  Strong  Dependency  Induction  to  handle  9uch 
constraints. 


Section  5.2  The  Strong  Dependency  Hypothesis  tstrhyp;! 

In  this  section  ue  show  that  Strong  Oeoendencu  is  not  completely  suitable 
as  a formalism  for  information  transmission  in  systems  constrained  by 
non-autonomous  constraints. 

Strong  Dependency  represents  an  attempt  to  formalize  the  Intuitive  notion 
of  information  transmission.  So  far,  ue  accept  the  follouing  hypothesis. 

******  The  Strong  Dependency  Hypothesis  ****** 

If  A (3  then 

Information  can  be  transmitted  from  (some  object  in)  A to  0 
in  a system  constrained  initially  by  <P 

In  other  uork  (section  7.2),  ue  find  additional  support  for  this 
hypothesis,  regardless  of  uhether  <P  is  autonomous  or  not. 

The  converse  of  the  Strong  Dependency  Hypothesis  in  not  true.  Consider 
the  problem 

xcp)  s - ai  D>  a 

in  the  system 

8:  0 «-  al 

Ue  find  that  the  non-autonomous  constraint 
'P(o)  a o.ol  = o.  o2 


will  solve  the  problem. 


The  solution  is  similar  to  that  of  constraining  the 
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value  of  al  to  that  of  a constant.  Instead,  the  value  of  al  is  constrained 
to  be  the  same  as  o2.  In  either  case  a degree  of  freedom  is  removed  from 
the  system.  Vet,  this  solution  is  disturbing,  for  one  might  imagine  3 ways 
that  this  solution  came  to  pass. 

1.  ol  uas  always  the  same  as  o2  in  the  system.  Somehow,  in 
initializing  the  system,  the  value  of  ol  was  also  placed  in  ct2  (or 
vice-versa).  There  is  still  a great  deal  of  variety  in  al ; only  it 
is  shared  with  a2.  Execution  of  b will  convey  all  of  this  variety  to 

(3. 

2.  <P  was  brought  about  (produced  - see  (Cohen  7S) ) by  executing 
some  other  operation  (not  shown)  that  copied  al  to  a2.  The  argument 
of  (1)  above  still  holds. 

3.  'f  was  brought  about  by  some  operation  that  copied  a2  to  al , 
destroying  all  of  the  initial  variety  in  al , However,  we  are 
analyzing  the  system  af ter  'f  was  brought  about  (after  the  solution 
was  produced),  that  is,  after  the  copy.  Again,  the  variety  in  al  is 
matched  by  the  variety  of  a2,  and  as  in  (1)  and  121 . the  problem  of 
preventing  information  transmission  still  remains. 

This  analysis  argues  that  information  i_s  transmitted  from  al  to  (3  given 
‘P,  even  though  ->  al  (3.  The  constraint  P spreads  the  variety  between 
al  and  a2.  Strong  Dependency  is  insensitive  to  that  spreading  of  variety; 
it  only  takes  account  of  the  fact  that  al  appear s to  have  no  variety  at  all 
since  it  is  forced  to  take  on  'he  same  value  as  a2. 

Sec t i on  5.3 Relative  Autonomy  trelaut:) 

In  this  section,  we  show  how  Strong  Dependency  may  be  used  with  certain 
non-autonomous  constraints,  by  considering  a set  of  objects  as  a single 
source  of  information. 

In  the  example  in  the  previous  section,  we  considered  al  as  a potential 
information  source.  The  Strong  Dependency  formalism  only  analyzed  the 
effect  of  al’s  variety  on  0 independently  of  the  variety  in  other  objects. 


I 


I 

! 
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particularly  in  a2.  Yet  in  that  example  <P  spread  al’s  variety  to  a2.  Ue 
must  therefore  treat  al  and  o2  together  as  a source;  determining  whether 
their  composite  variety  can  be  transmitted  to  0.  And  in  fact,  we  can  show 
that 

lal  ,o2l  tt>p  0 

Though  <P  is  not  autonomous,  we  will  say  that  it  is  autonomous  reiat  i ve  to 
Icrl,a2l,  or  (al , a2l -autonomous.  That  means  there  are  no  correlations 
between  (ol,a2l  and  any  other  object  (a  formal  definition  is  found  beiowi. 
The  argument  suggests  that  although  the  converse  to  the  Strong  Dependency 
Hypothesis  is  not  true,  the  following  weaker  version  is  true. 

******  The  Relative  Autonomy  Hypotnesis  ****** 

If  'P  is  A-autoncmous 
. and  -•  A (3  then 

No  information  can  be  transmitted  from  A to  |3 
in  a system  constrained  initially  by  <P 

Additional  support  for  this  hypothesis  may  be  found  In  other  work  In 
progress  (section  7.2).  Consider  the  system 

&:  0 •-  al  - a2 

'P(a)  s a. a 1 *=  a.a2 

Ue  find  that  - Ial,a2l  U>p  0 

Because  <P  is  (al  ,a2l  -autonomous,  the  hypothesis  argues  that  information  is 
transmitted  neither  from  al  nor  from  a2  to  0.  This  is  as  it  should  be. 
Given  the  constraint  'P,  execution  of  S will  always  set  (3  to  0 regardless  of 
the  initial  values  of  al  and  a2  (which  must  be  the  6ame) . 

I f the  constraint  <P  above  were 


P(o) 


cr.al  = o.a2  a o.ml  » o.m2 
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*P  Mould  still  be  lor  1 , a2l  -autonomous.  Though  other  objects  (ml  and  m2)  are 
constrained  to  have  correlated  values,  no  value  of  al  or  a2  is  correlated 
with  any  of  them.  Even  for  these  kind  of  relatively  autonomous  constraints, 
the  Relative  Autonomy  Hypothesis  holds.  As  long  as  no  variety  is  spread 
between  objects  in  A and  objects  outside  of  A,  Strong  Dependency  accurately 
reflects  information  transmission. 

He  can  represent  relative  autonomy  formally  in  the  following  way: 

First,  remember  that  we  defined  <P  is  A-independent  as  (def  3-1) 

(Vol , o2)  ( ol  = cr2  a.  <P(ol)  = <P(a2)  ) 

A 

>>  Def  5-11  <P  is  A-strict  i f f 

(Vol , ct2)  ( crl.A  = ct2.  A a.  Viol)  s <P(o2)  ) 

<P  is  A-independent  if  <P  does  not  constrain  any  objects  in  A. 

'P  is  A-strict  if  <P  on  I u constrains  objects  in  A. 


>>  Q.ef  5-2)  V is  A-autonomous  i f f 
<P  = <P1  a <P2 

for  some  'PI  which  is  A-strict 
and  some  <P2  which  is  A-independent 

For  example 


■Pfo) 

s o.orl  = 

o.o2  /\  a.  ml 

= o.  m2 

'PI  (a) 
•P2(a) 

= o.  ol 
s o.  ml 

= o.o2  is 

= a . m2  is 

lol  ,o2l  -str  ict 
lol ,o2l -independent 

Therefore, 

<P1  /\  <P2 

is  lol ,a21 -autonomous. 
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Sec t i on  5.4 Substitution  and  Autonomy  tsubaut:) 

In  this  section,  ue  present  a different  characterization  of  relatively 
autonomous  constraints.  Ue  show  it  is  equivalent  to  the  definition  of 
relative  autonomy  given  in  the  previous  section,  but  leads  to  a more  usable 
formalism.  Ue  al sd^def ine  autonomy  as  it  has  been  used  9ince  section  2.6. 


Imagine  tuo  states  ol  and  o2  that  both  satis 


<P(o) 

■ 

a.al 

= o.a2  a 

o.  ml  «* 

o.  m2 

al 

a2 

ml 

m2 

q 

ol 

1 

1 

2 

2 

3 

a2 

101 

101 

102 

102 

103 

Compose  a 

state  o that  is 

just 

like  o2 

except 

ol  for  al 

and 

a2. 

a 

1 

1 

102 

102 

103 

fy 


that  it  takes  on  the  value  ot 


o-  also  satisfies  P.  ol  and  o2  help  satisfy  <P  independently  of  the  values  of 
other  objects.  The  values  of  al  and  ci2  taken  from  any  state  satisfying  P 
can  be  substituted  for  the  values  of  al  and  o2  in  o2{  the  resulting  9tate 
will  still  satisfy  P.  Whenever  P is  A-autonomous,  if  el  and  o2  both  satisfy 
P,  then  o2  with  ol  substituted  at  A will  9ati9fy  P as  well.  Formally  we 
define  o2  with  ol  substituted  at  A as 


>>  Pef  5-31  o2  t-;  al 
A 


a2  r'  cl  adef  0 where  o = o2  a o.A-ol.A 
A A 


Theorem  5-1) 

P is  A-autonomous  i f f 

(Vol,o2H  P(al)  a <P!o 2)  d.  «(  d2  al  ) ) 

A 


The  constraint 
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'Pftd  s o.cd  = o.ci2  a o.ml  = o.m2 

is  fal , a2i  -autonomous.  It  is  also  Im] , m2l -autonomous . it  is  also 
q-autonomous  for  any  arbitrary  other  object  q.  The  value  of  c|  may  change 
independent  ly  of  any  other  object,  especially  since  q is  not  constrained  at 
all  by  'P,  If  me  think  of  each  relatively  autonomous  set  of  objects 
(e.g.  lcd,o2l)  as  a single  "pseudo-object",  ue  can  see  that  theorem  2-6 

ik.h  n,H 

A 0 d Got  A)  ( a 0 0 ) 

generalizes  to  the  fol toning  theorem. 

Theorem  5 -21 

If  <P  is  A j -autonomous,  i = l,..,,k  then 


If  in  some  system  constrained  by  the  example  <P  above,  information  was 
transmitted  from  fed , a2,  ml , m2,  qi  to  ^ and  did  not  depend  upon  q or  upon 
fml  ,m2l,  then  (3  mould  certainly  have  to  depend  upon  Icd,a2i. 

If  <P  permits  the  value  of  each  object  to  change  independently  of  the 
value  of  any  other  object,  then  'P  is  o-autonomous  for  all  a.  This  is  the 
formal  definition  of  autonomy  (described  informally  in  section  2.6i. 

>>  Def  5-41  'P  is  autonomous  i f f 

(Vo,  rr]  , o2)  ( <P(o2)  a -Pled)  d.  'P(  n2  ^ ol  ) 

n 


Section  5.5  Strong  Dependency  Induction  [relprfj] 

Chapter  4 discussed  Strong  Dependency  Induction  for  autonomous 
constraints  only.  The  definitions  and  theorems  in  this  section  extend  those 
results  to  non-autonomous  constraints. 


f-ir  st  ue  extend  the  definitions  of  sertion  2.3. 


m 
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>>  De f 5-51  ol  and  o2  differ  only  at  A and  differ  at  B after  H given  ’P 
ol  a2  el  = <j2  a (V(3fB)  ( H(al).0  * H(o2).(3  ) 

>>  Def  5-6]  B strongly  depends  upon  A after  H given  <P 


,vH 

A 

>>  Def  5-7] 

A tt>pB 

Theorem  5-3] 
ikH 

A 0>,  B 


■def  , Oel.c2>(  ol  A^j  o2  ) 

B strongly  depends  upon  A given  P 

■def  OH)  lA^B) 

(proof  left  to  reader) 
ikh 

d (V0<B)  ( A |>  0 ) 


Ue  argued  in  section  4.2  that  if  information  were  transmitted  from  a to  £ 
by  8182,  then  there  should  be  some  intermediate  object  m such  that  81. 
transmits  information  from  a to  m and  m transmits  information  from  m to  0. 
In  the  case  of  non-autonomous  constraints,  Strong  Dependency  may  fail  to 
mirror  this  intuition.  Consider  the  system 


81:  ( ml  «-  a;  m2  *-  a ) 

82:  0 «-  ml 

initially  constrained  by  the  invariant  but  non-autonomous  constraint 


<P(o)  s o.ml  » o.m2 


8182 


Although  ue  can  directly  show  that  a 0,  we  find  that 

.82  .82 
“•  ml  0 as  we  I I as  - m2  0 


But,  since  <P  is  (ml , m2!  -autonomous,  we  do  find  that 

.82 

Iml , m2)  (Pp  0 


Ue  also  can  show  that  a transmits  information  to  both  ml  and  m2.  That  is 


In  fact,  generally  we  can  show  that 
Theorem  5-4] 

If  'P  is  invariant  then 
A tt>pH  0 D.  GM)  ( A ojj  n A n oj  0 ) 

This  theorem,  a generalization  of  theorem  4-1,  follows  immediately  from  the 
f o I lowing  theorem 

Theorem  5-5] 

If  <P  i9  invariant 

and  M = I m I H(ol).m  * H(o2).m  I then 

<0  MU’  'P/vH  <PyVH’ 

ol  AOa  o2  ill  ol  AOn  o2  A H(a  1)  ^ H(a2) 

Just  as  corollary  4-2  followed  from  theorem  4-1,  we  find  that  the  following 
corollary  follows  from  theorem  5-4 

Cor o I I ary  5-6] 


If  ^ is  invariant  and  (i  </  A then 
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Chapter  G - Ncn-invar iant  Constraints  Inoninv:) 


Sect  ion  G.l Introduction  D 

In  sections  4.2  and  5.5  ue  explored  Strong  Dependency  Induction  for 
invariant  constraints  only.  In  this  chapter,  we  will  extend  the  Inductive 

technique  to  include  non-invariant  constraints  as  well. 

Induction  using  non-invariant  constraints  is  useful  when  systems  oscillate 
or  pass  through  stages  where  one  of  a set  of  constraints  is  always 
satisfied.  It  is  then  possible  to  show  the  absence  ov  information 
transmission  by  using  Strong  Dependency  with  respect  to  each  Of  the 
constraints  in  the  set  separately.  We  call  the  set  of  constraints  a 
i nduc  t i ve  cover . 

Ue  find  that  inductive  covers  are  especially  useful  in  analyzing 
sequential  programs  where  they  correspond  to  the  inductive  assertions 
attached  to  a program.  Strong  Dependency  Induction  can  then  be  used  to  show 
absence  of  information  transmission  as  the  result  of  program  execution. 


Sec t i on  G.2 Constraint  after  a History  [phist:! 

As  an  initial  constraint,  'P  characterizes  the  set  of  possible  initial 
states  of  a system.  In  this  section  us  show  how  to  characterize  the  set  of 
possible  states  a f ter  execution  of  some  history. 

If  <P  initially  constrains  a system,  then  after  execution  of  history  H, 
the  set  of  possible  states  can  be  characterized  as  those  states  reachable  by 
execution  of  H from  a state  satisfying  <P  initially.  Ue  write  IHI'P  to 
characterize  these  states.  Formally  we  define  <P  after  H as 

» Del  G-1J  tHJ<f 

[HI  <P( o’)  sdef  o’  t I H(o)  I <P(o)  I 


If  o satisfies  <P,  then  H(c)  must  satisfy  IHI'P.  Formally 
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Theor em  G — 1 1 (proof  left  to  reader) 


'P(a)  d [HI<P(  H(o)  ) 


As  an  example,  consider  the  system 


8:  (}*-  a - 4 

Via)  s a.  a < .10 


He  find  that 


[Sl'Ptc)  = cr.cc  <10  a o.|3  = o.a  - 4 

Execution  of  8 does  not  change  a,  so  it  remains  less  than  10.  However,  8’s 
execution  guarantees  that  (i  will  be  a - 4. 

Note  from  the  example  above  that  [ HI  4*  need  not  be  autonomous  even  if  <P 
is.  Note  also  chat  l S3  'P  is  stricter  than  <P.  This  increase  in  strictness 
occurs  whenever  <P  is  invariant. 

Theorem  G — 2 3 (proof  left  to  reader) 

If  'P  is  invariant  then 

[HI  <P  c <p 


Sec t i on  S.3 Strong  Dependency  Induction  Inonindsl 


In  using  Strong  Dependency  Induction  to  determine  whether  information  can 
be  transmitted  from  A to  (3  over  execution  of  HH’,  we  find  some  N such  that 
information  is  transmitted  from  A to  FI  over  execution  of  H and  from  FI  to  0 
over  execution  of  H’  (theorem  5-4).  If  the  system  is  initially  constrained 
by  <P,  then  after  execution  of  H,  the  system  is  constrained  by  [H)<P.  To 
determine  whether  information  can  be  transmitted  from  FI  to  (3  over'  execution 
of  H’  after  H has  executed,  one  must  consider  a system  constrained  not  by  <P, 
but  by  IHl'P.  Formally 
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Theorem  6-33 

a tt>^H  a D (3M)(  A ttj  n A n |>jWf  fl  ) 

Note  that  the  theorem  holds  even  though  tHlf  need  not  be  fl-autonomoue. 

This  theorem  follows  from  the  following  theorem 
Theorem  6-43  (proof  similar  to  theorem  5-5) 


If  M = ( m I H(crl).m  * H(o2).m  ) then 

ol  °2  HI  ol  or2  a H(el)  H(o2) 

If  <P  i 9 invariant,  then  theorem  5-4  (the  corresponding  theorem  for 
invariant  <P)  is  seen  to  follow  directly  from  theorems  6-3,  6-2  and  2-3. 


The  following  corollary  follows  from  theorem  6-3  as  corollary  5-6 
followed  from  theorem  5-4. 

Corol  I ary  6-51  (proof  similar  to  theorem  5-6) 

If  (3  1 A then 

(VH,  S.m)  ( A tt>jH](p  m d.  m t A ) v 

(vh.s.m)  ( n tt>JH](P  a 3.  a « n ) 

3.  - A 

If  IH) <P  is  autonomous  for  all  H,  the  theorems  in  section  4.2  can  be 
generalized  as  well.  In  particular  we  find  that 


Theorem  6-6)  (proof  similar  to  theorem  4-1) 

If  (VH)  ( IHl'P  is  autonomous  ) then 

HH*  H H’ 

a 0 o (3m)  ( a m a m 0 ) 
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Sec t i on  6.4 Inductive  Covers  Ibehcovsl 

In  this  section,  U3  explore  Strong  Dependency  ’eduction  uring  Inductive 
covers,  set9  of  Pi's,  such  that  if  9ome  <P  is  true  initial  iy,  on*  of  the  ^i’e 
will  be  true  thereafter. 

The  simplest  use  of  an  inductive  cover  might  be  for  an  oscillating 
system.  That  i s , <P1  may  be  true  Initially,  after  execution  of  some 
operation,  <P2  will  be  true}  after  execution  of  another  operation,  Vi  will  be 
true  again.  Ue  will  present  just  9uch  an  example  later  in  ‘'his  section. 
More  generally  we  define  an  inductive  cover  36  a set  of  'f’i'e,  such  chat  for 
every  H,  CH]<P  is  contained  In  at  least  one  of  the  fi’s. 

>>  Def  6-2J  I <PM  is  an  inductive  cover  for  V i_f£ 

(VH3i ) ( tHIP  S <Pi  ) 

Since  each  (H]<P  is  contained  in  some  Pi,  we  find  the  following  theorem 
follous  directly  from  theorems  6-5  and  2-3. 

Theorem  6-71 

If  I 'Pi  I is  an  inductive  cover  for  V then 
*8 

(V8,m,i)(  A |J>p.  mo.  m c A ) v 

<V8,M,  i)  ( M IJ^.  fi  o.  (3  i H ) 

=>•  - A % 3 

A simple  example  of  an  oscillating  system  is 
8:  ( 0 a;  a «-  -a  ) 

Via)  * a. a « 37 

It  is  easy  to  see  that  a 19  initially  37;  after  execution  of  8,  a will  be 
-37;  after  execution  of  8 once  more,  a will  be  37  again.  No  information  can 
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be  transmitted  from  a to  (5.  a is  constrained  initially  so  that  it  contains 
no  variety;  there  is  none  to  convey.  We  will  prove  that  - a ||^  (5* 

Instead  of  using  the  theorem  above,  we  might  first  consider  a retreat  to 
the  comfortable  world  of  invariant  constraints,  f is  clearly  not  invariant. 
However,  we  could  imagine  finding  an  invariant  'P*  containing  such  that 

- « OV*  fi 

By  theorem  2-3,  this  would  yield  the  desired  result.  Unfortunately,  the 
most  restrictive  invariant  containing  is 

<P*(o)  a o.a  = 37  v cr. a » -37 

This  'P*  lets  a exhibit  some  variety,  that  variety  can  be  conveyed  to  fl  by 
execution  of  a,  and  therefore  a fl,  which  is  not  the  result  desired. 

We  prove  the  desired  result  by  using  theorem  6-7,  taking  as  an 

inductive  cover  *or  'P,  where 


<P1  (a) 

ss 

o.a 

- 37 

-P2(a) 

S 

a.  a 

= -37 

Since  both 

<P1 

and 

<P2  el  iminate 

that 

fl 

D 

0 ( 11  and 

»►« 

fl 

D 

fl  c n 

So  by  theorem 

6-7 , 

we  find  that 

variety  from  a, 


a Q>p  fl- 


ue can  show  very  easily 
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Information  Transmission  in  Sequential  Programs 


In  this  section  we  will  show  how  to  prove  the  absence  of  information 
transmission  in  sequential  programs  by  using  Floyd  assertions  IFloyd  G7]  as 
an  inductive  cover. 


Consider  the  flowchart  program 


Following  ILipton  731,  this  program  can  be  modelled  by  the 
computational  system  (pc  acts  as  a program  counter) 


constrained  by  <P  which  guarantees  that  execution  begins  at  "start 


Following  IFloyd  G7) , we  place  an  entry  assertion  at  the  beginning  of  the 
program,  an  exit  assertion  at  the  end,  and  intermediate  assertions  preceding 
each  intermediate  statement.  Suppose  that  we  know  that  the  program  only 
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executes  on  data  that  initially  satisfies  •PI  (the  entry  assertion).  Nou  let 
<P2,...,'Pn  be  assertions  placed  preceding  statements  labelled  82,..., 8n 

respectively,  and  let  'Pp+i  be  the  exit  assertion  (see  diagram  above). 

The  meaning  of  Floyd  assertions  is  this:  if  the  entry  assertion  ( <P1  ) is 
satisfied,  and  if  control  is  at  8i  (i.e.  cr.pc  «=  i ) , then  'Pi  is  true. 

Initially,  control  is  at  statement  81,  and  if  the  entry  assertion  is 

satisfied,  the  state  of  the  system  can  be  characterized  by  'PI  a <P. 

Control  is  always  at  some  8i,  therefore,  some  *Pi  must  always  be  true. 

That  is  just  the  requirement  that  makes  l 'Pi  I an  inductive  cover  for 
<P1  a <P. 

It  is  useful  to  take  the  pc  explicitly  into  account.  Define 


'Pi*  (a)  s 'Pi(o)  a o.pc  = i 

Since  the  value  of  the  pc  is  i whenever  control  is  at  Si,  'Pi*  is  always  true 
when  control  is  at  8i,  and  therefore  ( 'Pi*  I is  also  an  inductive  cover  for 
PI  A f ( <P1*  ). 

Now  we  see  that 

(Vo)  ( <Pi*(o)  d o.pc  « i ) 


and  each  8j  is  of  the  form 


8 j : j_L  pc  » j then  . . 


so  if  x (b>  , y,  then  (unless  y c x - see  section  2.5)  i must  be  equal 
V l * . 

to  j,  for  otherwise  execution  of  8j  can  have  no  effect  on  y (or  any  object/. 

Forma  I I y 

(Vi , j , X,  y)  ( X y d.  i = j v y t X ) 

Thus  by  theorem  6-7,  to  show  ->  A (■ 1 ,"  we  need  only  show  that 
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„J>i 

1.  Either  (Vi,m)(  A 5>..  m o m c A ) 

i * 

ivSi 

2.  Or  (Vi ,M)  ( n |>  0 o 0 c M ) 

The  second  alternative  corresponds  to  the  following  proof  technique  for 
showing  that  no  information  can  be  transmitted  from  a to  (3. 

For  each  statement  8j  that  contains  an  assignment  to  0,  show  that 
<Pi*  constrains  the  state  so  that  no  information  can  i,e  transmitted 
to  0 as  a result  of  execution  of  8,.  'Pi*  is  the  inductive  assertion 
for  statement  8j  conjoined  with  o.pc  = i.  [ Ue  need  not  be 

concerned  with  statements  that  cannot  assign  to  0 ; they  can  never 
transmit  information  to  0.  ] 

In  the  example  above,  we  pick  the  entry  assertion  to  be 

<P1  ( o)  s a.  q < 10 

Ue  can  then  show  that  V2  is  a legal  inductive  assertion  for  statement  82 
^2 ( c)  = -o. t 

Since  q is  initially  less  than  10,  t must  be  false  when  control  reaches 
82  (by  execution  of  81).  Since  t is  false,  execution  of  82  can  never 

transmit  information  to  0.  Formally, 

[v  82 

" Ofe,.,  A = A < " 

Since  82  is  the  only  statement  that  assigns  to  0,  ue  have  shown  that  no 
information  can  be  transmitted  from  a at  0 over  execution  of  the  program. 
In  general,  suppose  that  0 is  onlu  assigned  to  at  statement  k (not 
necessarily  the  last  statement).  Then,  in  order  to  prove  ->  A 0,  we 
need  on  I u show 

(i  8 k 

(VM)  ( M 0 d 0th) 

Yet,  there  are  difficulties  in  using  Strong  Dependency  as  a modet  of 
information  transmission  in  programs.  Consider  the  flowchart 
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ir- 


which  can  Ids  modelled  by  the  constrained  system 


SI : 

i f pc 

- 1 

then 

( j_f  a 

then  oc 

4- 

2 

82s 

i f pc 

« 2 

then 

( 0 - 

0j  pc  «- 

4 

) 

83: 

11  Pc 

- 3 

then 

( a - 

0S  pc  ♦- 

4 

) 

'PI  a) 


or.  pc  » 1 


Now  it  is  clear  from  looking  at  the  program  that  information  cannot  be 
transmitted  from  a to  0,  since  0 is  set  to  0 regardless  of  a*3  value.  Yet 
we  find  that 


■vSl  82 

<■  ttV  8 


and  therefore 


« K* 


This  can  be  demonstrated  by 


P i ck i ng 

ol 

so  that  ol.a  = tt,  crl.0 

= 37 

Picking 

c2 

just  like  ol  except  that 

o2.cc  ■ ff 

Then 

ol  = 
a 

o2,  (8182) (ol).a  - 0, 

(8182) io2).0  - 37 

This  example  may  appear  to  invalidate  the  Strong  Dependency  Hypothesis. 
In  fact,  it  does  not.  The  Strong  Dependency  formalism  implicitly  assumes 

that  (3’s  observer  knows  the  history  being  executed.  Suppose  that  an 

observer  of  0 did  know  that  8182  was  being  executed.  82  has  an  effect  only 
if  the  pc  is  2.  I f 82  does  have  an  effect  on  0,  then  (3’s  observer  can  infer 

that  the  pc  was  2 uhen  82  was  executed,  which  implies  that  ct  was  true 

initially.  That  information  about  a is  thus  transmitted  to  0. 


w 
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In  arguing  that  information  cannot  be  transmitted  from  a to  0,  we  tacitly 
made  the  assumption  that  0's  observer  could  not  observe  the  history 
executed.  Ordinarily,  we  might  instead  make  the  assumption  that  0’s  observer 
can  only  detect  the  passage  of  time  (as  well  as  the  value  of  0 of  course). 
Work  in  progress  (section  7.3)  formalizes  the  observation  of  time  and 
allows  us  to  show  formally  that,  In  the  example  above,  as  long  as  only  time, 
and  not  the  history,  can  be  observed,  no  information  can  be  transmitted  from 
a to  0. 
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Chapter  7 - Work  in  Progress  tinfwrksl 

Section  7.1  - — Introduction  tl 

In  this  chapter,  we  discuss  work  in  progress,  both  extensions  to  the 
Strong  Dependency  Model,  as  well  as  other  fliodele  suggested  by  issues  raised 
In  exploring  Strong  Dependency. 

Sect i on  7.2  Alternate  Models  for  Information  Transmission 

[ i nf a I t : I 

We  have  found  that  Strong  Dependency  corresponds  to  information 
transmission  only  in  autonomously  constrained  systems,  For  exampls,  in  the 
system 

St  ft  *■  al 

'P(cr)  a o.al  = o.a2 

information  can  certainly  be  transmitted  from  al  to  P,  yet  ue  find  that 

- al  ft. 

Two  other  models,  Inferential  Dependency  and  Direct  Dependency,  are  being 
explored  in  an  attempt  to  extend  Strong  Dependency  to  non-autonomous 
constraints.  The  two  models  treat  "inferential"  transmission  differently. 
Inferential  Dependency  would  indicate  that  information  is  transmitted  from 
both  al  and  a2  to  ft  in  the  example  above.  Direct  Dependency  would  indicate 
only  that  information  is  transmitted  from  al  to  ft.  The  advantage  of  a 
Direct  Dependency  formalism  can  be  seen  more  clearly  in  the  following 
examp l e: 

S:  ft  *■  al 

'Pin)  s a.al.tag  = o.a2.tag 

Information  is  certainly  transmitted  from  al  to  ft  by  execution  of  f>.  Since 
indicates  that  the  tag  component  of  al  and  o2  are  the  same,  one  might  wel  I 
conclude  that  some  information  about  a2  is  transmitted  to  ft  as  well.  If  the 
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tag  component  does  not  contain  important  information  (i.e.  we  don’t  care  if 
it  is  transmitted),  we  may  find  it  useful  to  ignore  this  inferential 
transmission.  A Direct  Dependency  formalism  would  do  just  that. 

If  a model  of  information  transmission  does  include  the  affect  of 
"inferential"  transmission,  information  transmission  cannot  be  monotonic  ;n 
the  sense  of  theorem  2-3.  More  restrictive  constraints  might  Increase  the 
sources  of  information.  For  example  rn  the  system  described  above,  'e 
more  restrictive  than  the  always  true  constraint  (i.e.  no  constraint  at 
all),  yet  imposing  <P  adds  an  information  path  (from  cr2  to  (?) . 

The  Inferential  Dependency  formalism  is  is  being  developea  from  a purely 
inferential,  rather  than  an  information  theoretic  approach.  We  say  that  (? 

inferent  ial  ly  depends  upon  a after  execution  of  H in  a system  constrained  by 
<P,  if  an  observer  of  the  system,  able  to  vieu  only  0 can  make  softie  inference 
about  a that  "says  more"  about  a than  can  be  determined  from  <P  alone-  We 
find  that  the  definition  of  "says  more"  is  the  crucial  (and  most  5nteresting) 
part  of  this  model. 

Our  investigations  to  date  indicate  that  the  model  is  at  least  as  general 
39  Strong  Dependency,  in  the  sense  that  we  can  show  that  Inferential 
Dependency  and  Strong  Dependency  give  the  same  results  for 
re  I at i ve I y-autonomou9  constr ai nts. 

The  definition  of  "says  more"  turns  out  to  be  related  to  what  can  be 
called  "contingent"  information  transmission.  In  execution  of 

S:  (?*-((  al  + n2  ) mod  128  ) 

information  i9  clearly  transmitted  from  (ol,a2!  to  (?.  It  is  not  so  clear 

that  information  is  transmitted  from  al  alone  to  (?.  No  matter  what  an 

observer  finds  to  be  the  value  of  (?  after  execution  of  8 , no  inference  can 
be  made  about  the  value  of  al . al  can  take  on  any  value  cont  incient  on  the 
value  of  a2.  Strong  Dependency  would  indicate  that  0 does  depend  upon  al. 
We  find  that  we  can  define  Inferential  Dependency  in  two  different  ways;  one 
would  Indicate  contingent  information  transmission,  one  would  not. 


Theorem  2-1  holds  precisely  because  Strong  Dependency  does  indicate 
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contingent  information  transmission.  in  a model  that  ignores 
information  transmission,  information  might  be  transmitted  f'-om 
objects  A to  0,  even  though  no  information  might  be  transmitted 
any  one  single  object  in  A. 

One  probable  prerequisite  for  any  acceptable  modei  of  information 
transmission  Is  an  Induction  principle  at  least  as  general  as  Strong 
Dependency  Induction  (theorems  5-4  and  6-3)  and  a theorem  that  permite 
separation  of  variety  in  a manner  analogous  to  theorem  4-5. 

Sect  ion  7.3 Mechanisms  (infmech:) 


cont ingent 
a set  of 
to  0 from 


’ In  this  paper,  we  have  assumed  that  information  problems  may  only  be 
solved  by  imposing  an  initial  constraint  m a system.  As  we  note  in  (Cohen 
76],  problems  may  aiso  be  solved  by  adding  a mechanism  to  a system.  In 
(Cohen  761,  we  define  a mechanism  as  implementing  an  arbitrary  mapping  from 
an  augmented  system  (as  it  is  provided  to  a user)  to  an  origins'  base 
system.  This  mechanism  formalism  can  be  used  to  model  protection 
mechanisms,  synchronization  mechanisms,  sequential  and  concurrent  control 
mechanisms,  virtual  machine  monitors,  and  can  be  used  to  mode!  Information 
hiding  and  situations  in  which  a user  is  to  be  prevented  from  observing  the 
exact  sequence  of  operations  performed  in  the  base  system  in  response  to 
execution  of  operations  executed  by  the  user  in  the  augmented  system. 


(Rotenberg  73)  and  (Denning  75)  have  warned  us  that  we  must  be  careful  in 
adding  mechanisms  to  a system.  For  even  as  the  mechanisms  may  eliminate 
certain  information  paths,  they  may  covertly  add  others.  (Rotenberg  /3) 
especially  provides  a number  of  exceedingly  subtle  examples  of  covert 
information  paths.  Our  formal  model  of  mechanism,  in  conjunction  with  the 
Strong  Dependency  formalism,  permits  a characterization  of  those  mechanisms 
that  do  not  add  new  paths  for  information  transmission. 


Two  sorts  of  run-time  mechanisms  that  prevent  information  Iramsm.sslon 
have  appeared  in  the  literature.  The  *-property  mechanism  (Bell  $ LaPeduia 
731  requires  that  the  classification  of  ordinary  objects  (not  processes)  be 
fixed.  (Denning  75)  has  shown  that  such  mechanisms  do  pt event  information 
transmission  uithout  adding  covert  channels. 
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If  the  classification  of  objects  are  allowed  to  vary  depending  upon  the 
information  stored  in  them,  then  covert  information  paths  are  easily 
introduced.  The  Adept-50  system  [Weissman  691  does  allow  the  classification 
of  objects  to  vary:  [Denning  7G3  has  shown  that  it  permits  covert  leakage  of 
information.  We  are  exploring  mechanisms  that  permit  classifications  to 
varyj  we  can  prove  that  covert  information  paths  are  not  introduced  because 
we  a I so  require  that  the  state  of  the  system  be  initially  constrained.  The 
initial  constraints, correspond  to  initial  properties  of  an  access  matrix. 

A mechanism  may  be  used  as  a formal  tool  for  specifying  the  mapping  from 
a given  system  to  a simpler  system  that  may  be  easier  to  analyze.  Work  in 
progress  examines  classes  of  mechanisms  that  preserve  various  information 
transmission  properties. 

Finally,  we  noted  above  that  the  mechanism  formalism  is  useful  for 

specifying  exactly  uhich  parts  of  the  behavior  of  a system  can  be  observed. 
In  section  6.5,  we  noted  that  if  only  the  time  of  a computation  can  be 
observed  instead  of  the  history,  certain  information  paths  disappear.  We 
can  formalize  this  argument  through  the  use  of  those  mechanisms  called 
"sequential  control  mechanisms"  in  [Cohen  763 . 

Sec  t i on  7.4 Information  Theory  t i n f thr : 3 

Strong  Dependency  and  the  other  models  of  information  transmission 

alluded  to  above  are  non-quant  i tat  ive.  They  indicate  whether  information 

can  be  transmitted,  but  not  how  much.  A number  of  different  measures  can  be 
formulated,  depending  upon  one's  approach  to  contingent  and  inferential 

information  transmission.  Each  of  these  measures  may  be  based  on  Shannon's 
information  entropy  [Shannon  & Weaver  491. 

The  following  example  illustrates  the  reason  for  two  different  measures 
corresponding  to  two  different  approaches  to  contingent  information 
transmission  (section  7.2). 

St  0 ♦-  ( ( al  + a2  ) mod  128  ) 


If  initially,  al  and  a2  can  take  on  values  from  0 to  127  with  equal 
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probability,  then  execution  of  & transmits  7 bits  of  Information  from 
lal,a2)  to  0.  But  how  many  bits  of  information  are  transmitted  to  0 from  al 
alone? 

The  ansuer  might  reasomably  be  zero,  for  reasons  identical  to  tho9«  given 
in  section  7.2.  An  observer  of  0 can  gain  no  information  about  the  value  of 
al  alone.  In  information  theoretic  terms  we  might  say  that  the  equivocation 
of  0 with  respect  to  al  is  7 bits;  any  value  of  0 observed  estimates  any 
initial  value  of  al  with  7 b i 1 9 worth  of  uncertainty.  Since  al  has  an 
initial  entropy  of  7 bits  (the  values  0 to  127  can  Initially  occur  with  equal 
probability),  the  amount  of  information  transmitted  Is  7-7  ( Initial 

entropy  - equivocation  ) or  zero  bits. 

One  might  Instead  measure  the  average  number  of  bits  transmitted  from  al 
to  0,  averaging  over  all  the  possible  ways  in  which  each  object  but  al  ie 
held  constant.  If  a2  is  held  constant,  then  the  full  variety  of  al  (7  bits 
worth)  is  transmitted  to  0 by  execution  of  S.  The  average  number  of  bite 
(averaged  over  the  values  of  a2)  transmitted  from  al  to  0 ie  7. 

A quantitative  model  of  information  transmission  might  also  include  the 
effect  of  constraint.  Constraint  reduces  the  variety  In  a system.  We  might 
write  b(  A- ($: : H) ->0  ) to  mean  the  number  of  bits  of  Information 
transmitted  from  A to  0 in  a system  constrained  by  f over  execution  of  H. 
Increasing  the  constraint  in  a system  reduces  the  variety  available  to  be 
conveyed.  We  might  expect  an  appropriate  definition  for  b to  be  monotonic. 

<P1  £ <P2  3.  b ( A-  (<Pls ! H) ->0  ) S b(  A-  (<P2:  : H)  ->(?  ) 

although  due  to  the  effects  of  inference  (section  7.2),  this  relationship 
should  perhaps  only  hold  for  A-autonomous  constraints. 

We  ask  the  question  - is  it  desirable  or  useful,  and  if  so,  then  possible 
to  define  b so  that 

b ( Al-  ('P:  : H)  ->|3  ) + b(  A2-  (f: : H)  ->$  ) . b(  (Al  U A2) - (<P:  J H) ->|3  ) 

Neither  of  the  alternatives  suggested  above  satisfy  this  additive  property. 
We  might  argue  that  if  Al  transmits  vl  bits  to  0 and  A?  transmits  v2  bits  to 
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0,  one  night  think  that  A1  U A2  transmits  vl  + v2  bits  to  j3.  If  b is  not 
defined  in  a such  a way  as  to  satisfy  this  property,  then  the  aifferenca 
between  the  left  and  right  hand  sides  of  the  equation  might  be  construed  es 
measuring  the  relative  interference  between  A1  and  A2  in  transmitting 
information  to  0 over  execution  of  H. 


Ue  have  implicitly  assumed  above  that  each  state  satisfying  occurs  with 
equal  probability^  More  generally,  the  actual  number  of  bits  transmitted 
over  some  history  must  depend  upon  the  distribution,  pr,  of  the  initial 
states.  In  this  sense,  pr  is  a generalization  of  an  initial  constraint  $« 
Ue  might  urite  b(  A- (pr : : H) ->(3  I to  mean  the  number  of  bits.  of 

information  transmitted  from  A to  0 as  a result  of  execution  of  H. 

If  pr(o)  is  the  probability  that  a is  an  initial  state,  then  ana  can 
define  [Ulpr  so  that  ([HIprHcr)  i3  the  probability  of  state  a occur  ing 
after  execution  of  H.  One  might  expect  a quantitative  theory  of  information 
to  satisfy  the  foliowing  property  corresponding  roughly  to  Strong  Dependency 
I nduct ion. 

If  b(  A- (pr : : HH')  ->0  ) = k then 


There  exists  some  set  of  objects  M such  that 
b ( A-  (pr : : H)  ->f1  ) > k 

b ( M-([H]pr::H’)->0  ) > k 


where  b(  X- (pr : : H) ->V  ) =def  l b(  X-(pr::H)->y  ) 

yf  V 

That  is,  if  execution  of  HH’  transmits  k bits  of  information  from  A to  0, 

i 

there  must  be  some  set  of  objects  M,  so  that  execution  of  H transmits  at 
least  k bits  from  A to  11  and  subsequent  execution  of  l-f  transmits  at  least  k 
bits  from  M to  0. 


I 


• ■'  WWW1W  h .•  m ■ 
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Section  7.5  — Declassification  tconfniru) 

Throughout  this  paper,  ue  have  considered  those  problems  where  we  want  to 
guarantee  that  information  is  not  transmitted  from  one  set  of  objects  to 
another  set  of  objects.  These  problems  do  not  take  into  considerat  f on  the 
matter  of  declassification.  IBell  & LaPadula  73]  have  extended  their 
*-property  mechanism  to  permit  trustworthy  executors  to  transmit  information 
where  such  transmission  would  not  normally  be  permitted.  Similarly,  we  need 
to  extend  our  notion  of  information  problem  to  formally  model 
dec  I asel f Icat Ion  by  trustworthy  executors. 

We  are  currently  exploring  a definition  of  the  Confinement  Problem  that 
does  formally  model  such  declassi  f ication.  He  expect  to  show  that  access 
matrix  systems  of  the  form  suggested  in  [Cohen  & Jefferson  753  can  indeed  be 
used  to  solve  just  that  problem. 
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Chapter  8 - Conclusion  [i conch] 

This  paper  has  introduced  Strong  Dependency,  a formalism  for  describing 
information  transmission  in  computational  systems.  He  showed  how  the 
formalism  could  be  used  to  describe  information  problems  and  prove  the 
correctness  of  solutions  to  them. 

The  notation  ,A  B>  0 means  that  0 strongly  depends  on  A That  is, 

over  execution  of  some  history  H,  some  change  in  the  initial  values  of  the 
objects  in  A may  cause  a corresponding  change  in  the  value  of  0;  variety  in 
A can  be  conveyed  to  0.  He  argued  in  this  paper  that  A 0 corresponds 

to  the  intuitive  notion  that  information  is  transmitted  from  the  set  of 
ob jects  A to  0. 

He  found  that  by  imposing  some  initial  constraint  on  the  system,  the 
variety  in  an  object  could  be  reduced,  thereby  preventing  information 
transmission.  0,  0 strongly  depends  on  A given  <#\  corresponds  to 

the  intuitive  notion  that  information  can  be  transmitted  from  A to  0 in  a 
system  constrained  by  <P  as  long  as  f is  autonomous  relative  to  A,  that  is, 
as  long  as  <P  does  not  establish  some  correspondence  between  the  values  of 
objects  in  A and  those  not  in  A. 

He  define  a solution  to  an  information  problem  as  an  initial  constraint  <f 
that  wilf  prevent  certain  specified  information  transmission.  Fcr  example, 
the  problem  of  guaranteeing  that  no  information  can  be  transmitted  from  a to 
0 can  be  uritten  as 

X(<P)  a - a 0 0 

He  say  that  $ solves  X if  <P  prevents  information  transmission  from  a to 

a. 


As  Strong  Dependency  is  defined,  it  is  necessary  to  show  that  no 
information  can  be  transmitted  from  A to  0 over  everu  possible  history  in 
order  to  show  that  no  information  can  be  transmitted  from  A to  0. 

He  therefore  introduced  Strong  Dependency  Induction,  an  inductive 

technique  for  proving  correctness  of  solutions  to  information  problems. 


Strong  Dependency  ( 8 ) 


page  68 


Strong  Dependency  Induction  is  based  on  the  principle  that  when  information 
le  transmitted  from  a to  (J  over  execution  of  HH\  there  is  some  Intermediate 
object  m,  such  that  execution  of  H transmits  information  from  a to  m and 
execution  of  H*  transmits  Information  from  m to  fi. 

Ue  found  that  Strong  Dependency  Induction  is  ineffective  if  the  Strong 
Dependency  relation  is  not  transitive.  Ue  introduced  another  proof 
technique,  Separation  of  Variety,  that  may  be  used  in  conjunction  uith 
Strong  Dependency  Induction  in  case  Strong  Dependency  is  non-transi t ive. 

We  discussed  Strong  Dependency  land  Strong  Dependency  Induction)  first 
for  constraints  both  autonomous  (those  constraining  the  variety  In  an  object 
independently  of  other  objects)  and  invariant,  extending  the  results  to 
relatively-autonomous  and  non-invariant  constraints  respectively. 

Finally  ue  noted  that  in  a computational  system  modelling  execution  of  a 
sequential  program,  the  initial  constraint  f corresponds  to  an  entry 
assertion  for  the  program.  The  set  of  inductive  assertions  attached  to  the 
program  can  be  used  in  conjunction  uith  the  Strong  Dependency  formalism  to 
shou  absence  of  information  transmission  as  a result  of  program  execution 
for  any  input  satisfying  the  entry  assertion. 

Strong  Dependency  is  a first  approximation  to  an  understanding  of 
information  transmission  in  computational  systems.  The  chapter  detailing 
uork  in  progress  represents  a collection  of  the  directions  for  future 
research. 
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Appendix  A - Proofs 
Theorem  2-1 

see  theorem  2-6  with  = tt 


Theorem  2-4 
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Theorem  2-6 
Given: 

1]  'Pis  autonomous 
»H 

21  A ^ a 

r H 
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4]  ( U a ) |>%  (21 

ac  A y 

»H 

5]  v ( a 5>  (3  ) [3,4,  th  5-2  ] 

ac  A v 


Theorem  3-1 
Given 

1]  X("P)  e -•  A |J>p  0 a <P  is  A-independent 

2]  X ('PI ) a X(< P2) 
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«(  ol* 

rr>  02* 

A 

) (26,27,11) 

29] 

0 * ol*  rr' 

A 

o2*  (26,27) 

30] 

<P1 

(o)  A V2 

(o)  o 

. <P(c)  (25- (28,29)) 

31] 

is  A-autonomous  (15,19,24,30) 

ol  ) ) 


Theorem  5-2 


Prove: 

I f <P 

i 8 Aj 

-autonomous, 

i ■ 1 f • • • t K 

k 

iyH 

then 

( U 
i-1 

a , ) tt>p  a d 

jV  < Ai  B>f  0 1 

by  induction  on  k 

Bose  k « 1.  Direct  by  substitution' 

I nduct ion  Assume  for  k,  prove  for  k+1 
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1] 

Assume 

‘P  is  A j -autonomous,  i ■ 1.....I 

2) 

Let  A 

■ Ak+1>  A*  = ,u,  Ai 
i=l 

3) 

Assume 

n.H 

( A*  U A ) [P^  (3 

4] 

al  J o2  a H(ol).0  * H ( ct2  ) . (3  13] 

A*  U A 

5] 

Le  t o 

= ol  r->  o2 

A 

B3 

'P(o) 

Cl. 2, 4, 5,  th  5-1  ] 

7] 

Case  1 

H(o).0  = H(ol ) . (3 

83 

<P 

o = 
A 

ol  [4,5,5] 

9] 

Ak+1 

lkH 

Ify  0 [7,8,2] 

10] 

Case  2 

H(o).(3  = H(ol).|3 

11] 

H(  o) . (3  - H ( o2 ) .0  [4,10] 

12] 

9 

o = 
A* 

o2  [4,5,51 

13J 

A*B>”(3  111,12] 

14] 

rH 

-*>  1! 

(k.H 

( Aj  ) [13,1,2,  induction 

15] 

K+1  l A 

v ( A 

i =1 

i 0^0  ) [7-9,10-14] 

Theorem  5-5 

G i ven 

1] 

'P  is  invariant 

2] 

n = I 

m 1 H( ol ) . m * H( o2) . m ! 

„ VHH’  'PyvH  VH’ 

Prove:  ol  ^ o2  ill  ol  A<>n  o2  a Htol)  ^ H(o2) 
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3) 

41 

=«>  Assume  ol 

ol  - o2  (31 
A 

<PyvHH’ 
*0,1  »2 

5) 

(VhkM)  ( H ( ol ) . 

m * H(o2) . m ) 

(23 

6) 

(p  H 

ol  aOm  t»2  (4,5] 

7] 

<F(H(ol))  a 4P{H(  o2) ) 11,4] 

81 

H(ol)  - H(o2) 
fl 

(21 

9) 

H’  (HI ol ) ) . 0 - H*  (H(o2)  J .0  (31 

101 

fp  H* 

H(ol)  n<X  H(o2)  17,8,9] 

11] 

121 

<==  Assume  ol 

ol  - o2  (11) 

A 

AOn  or2  a Hfol ) nOp 

13] 

(HH*)  (ol)  .0  * 

(HH’)  (o2)./3 

till 

14] 

cl  AOfl  =2 
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Coral  1 ary  5-6 
Given 

1]  f is  invariant 
21  0 « A 

aH 

Provet  A lt>p  o ^ ^ 

(35, mfA)  ( A U>p  m ) a (3S.fi)  ( M ^ 0 a 0 « M ) 
by  induction  on  the  length  of  H 
Base  H - Follous  from  (2,  th  2-3  1 
Base  H • b.  Direct  by  substitution 
1 nduct ion  Assume  for  H,  prove  for  H5  or  SH 
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lyHi 

31  Assume  A (5 

A]  (3f1)  f A 0^  M n M jj>^  (3  ) [3,1.  th  5-4  ] 

51  Case  1 (3  ? M 

G1  (38, M)  ( M 0^  (3  a (3  < M ) [A, 51 

71  Case  2 (3  f M 

rvH 

81  A B>  (3  [4,7,  th  5-3  1 

B.b 

91  (38,(1)  ( M (f>p  (3  a (3  ? M ) (1,2,8,  induction  J 

rv>H 

10]  Assume  A 0 

B.&  aH 

11]  (3M)  ( A |>  M /x  M |>  fl  ) [10,1,  th  5-4  J 

12]  Cose  1 - ( M 5 A ) 

IV** 

131  (38,m?A)  ( A |>  m ) [11,121 

14]  Case  2 H c A 

,vH 

IS!  A IP  (3  [13,14,  th  2-2  ] 

n.8 

1G]  (38, m^A)  ( A U>p  m ) [1,2,15,  induct  ion  1 


Q.E.D.  [ 3- (5-6, 7-9) , 10- (12-13. 14-16)  ] 
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